Data protection legal updates from Shoosmiths LLPhttps://www.shoosmiths.co.uk/rss/5683.aspxData protection legal updates from Shoosmiths LLPen-GBShoosmithshttps://www.shoosmiths.co.uk/-/media/shoosmiths/shoosmiths-rss-image.jpg?h=144&w=144Data protection legal updates from Shoosmiths LLPhttps://www.shoosmiths.co.uk/rss/5683.aspx60{7E3166FF-DAFD-4681-896B-E46C0AE39A21}https://www.shoosmiths.co.uk/client-resources/legal-updates/what-impacts-will-a-no-deal-brexit-have-on-data-protection.aspxWhat impacts will a no deal Brexit have on data protection?In a no deal Brexit, what rules will apply to privacy, data protection, direct marketing and electronic communications?Tue, 08 Jan 2019 00:00:00 Z<![CDATA[JP Buckley Sarah Tedstone]]><![CDATA[In a no deal Brexit, what rules will apply to privacy, data protection, direct marketing and electronic communications?]]>{AFA71197-BC7F-4600-AED3-E125C17276D5}https://www.shoosmiths.co.uk/client-resources/legal-updates/how-to-avoid-an-unneccesary-dpia.aspxHow to avoid an unnecessary DPIAA Data Protection Impact Assessment (DPIA) is a process designed to help organisations systematically analyse, identify and minimise the data protection risks of a project or plan.Tue, 08 Jan 2019 00:00:00 Z<![CDATA[JP Buckley Andrew Mills]]><![CDATA[A Data Protection Impact Assessment (DPIA) is a process designed to help organisations systematically analyse, identify and minimise the data protection risks of a project or plan.]]>{D50CE283-C369-4C64-A147-DEF2D2791B05}https://www.shoosmiths.co.uk/services/data-protection/data-breach-cyber-security-incidents.aspxData breach, cyber &amp; security incidentsMon, 05 Nov 2018 00:00:00 Z{3B215142-34E2-4F47-BDE3-24D51767EB4B}https://www.shoosmiths.co.uk/client-resources/legal-updates/gdpr-five-months-on-ico-guidance-update.aspxGDPR five months on: ICO guidance updateIt's been five months since GDPR became enforceable. The 25 May deadline has come and gone, but organisations must continue to focus on their data protection obligations - the Information Commissioner has referred to this as an ongoing compliance journey.Fri, 26 Oct 2018 00:00:00 +0100<![CDATA[JP Buckley, Matt Quezada and Jess Dick]]><![CDATA[It's been five months since GDPR became enforceable. The 25 May deadline has come and gone, but organisations must continue to focus on their data protection obligations - the Information Commissioner has referred to this as an ongoing compliance journey.]]>{8BE23520-6111-4155-BA31-612C53040F05}https://www.shoosmiths.co.uk/client-resources/legal-updates/another-week-more-breach-related-fines-14673.aspxAnother week, more breach related fines - and check if you need to register! The ICO continues to undertake enforcement action under the previous Data Protection Act 1998. It applies where the breach was before 25 May 2018, when the GDPR and Data Protection Act 2018 came into force.Fri, 12 Oct 2018 00:00:00 +0100<![CDATA[JP Buckley ]]><![CDATA[The ICO continues to undertake enforcement action under the previous Data Protection Act 1998. It applies where the breach was before 25 May 2018, when the GDPR and Data Protection Act 2018 came into force.]]>{D0DD2109-A586-4728-9810-A7E381AA23E4}https://www.shoosmiths.co.uk/client-resources/legal-updates/gdpr-what-next-14670.aspxGDPR... What next...? The 25 May 2018, when GDPR, and the associated UK Data Protection Act 2018, came into force was a landmark date for data privacy, but fast forward nearly six months, what should you be doing now?Thu, 11 Oct 2018 00:00:00 +0100<![CDATA[JP Buckley ]]><![CDATA[The 25 May 2018, when GDPR, and the associated UK Data Protection Act 2018, came into force was a landmark date for data privacy, but fast forward nearly six months, what should you be doing now?]]>{11DBFE2D-1AEC-4943-A54F-8B833DDEB7FF}https://www.shoosmiths.co.uk/client-resources/legal-updates/three-eras-sunset-500k-dawn-of-gdpr-and-brexit-14629.aspxThree eras - the sunset of &#163;500K, the dawn of GDPR enforcement and the horizon of Brexit In just a short space of time, the ever-evolving world of data protection and cyber has seen yet more change: Potentially one of the last enforcement actions under the Data Protection Act 1998 against Equifax - and a maximum £500,000 fine for them for failing to secure UK citizens' personal data against breach. This is against the UK part of the organisation but for its failure to secure the data while being held by the US-based group company. News of the first enforcement notice from the ICO against Canada's Aggregate IQ - the organisation that assisted with the profiling and targeting of adverts to gain support for Vote Leave. Interestingly, the notice lists a range of non-compliances including processing without a lawful basis, and failing to provide transparency information to the individuals whose data it was. The notice requires the data processing to be ceased, and it is dated 6 July but was only reported in the media on 20 September. Aggregate IQ have filed a notice to appeal the enforcement notice. We wait to see what happens next. This is, of course, all part of the deeper investigation into political campaigning which has been ongoing with the ICO for some months and has already resulted in fines for Vote Leave itself and Emma's Diary. Brexit - the government published its paper on the no deal implications on data protection. There were two key takeaways - firstly that the UK had hoped an "adequacy decision" from the EU would allow personal data to continue to transfer between the EU and the UK, but that this may not now happen in time; and, secondly, if that is the case, the EU model clauses are intended to be used for data transfers should the adequacy decision not be provided. This may lead to a rush for model clauses as we approach the March date. However, for now it is best to maintain a watching brief as we have heard elsewhere that a separate deal on data protection may be done. We know the ICO is keen to maintain a seat on the European Data Protection Board (EDPB) which replaces the Article 29 Working Party. So what does this all mean? Well, data protection and cyber security is headline news yet again. Coming only a few days after the BA breach and news of a group action on behalf of affected passengers, this will be worrying reading to boards and managers around the country. We would recommend: (a) checking security steps, ensuring your board/managers are briefed on the 5 steps as set out by the National Cyber Security Centre - https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-your-boards-agenda. Avoid single points of failure or human error. (b) Be clear on how and why you collect data, what your legal justification for this is, and how you are clear with individuals as to how their personal data is being used and shared; and (c) Be ready for the implications of Brexit - knowing where personal data is coming from and going to should be clear already in your data inventories/records of processing, but ensuring you know where the contracts are and how they can be updated could be important - let's hope there is a Brexit deal or data protection deal at the least. Do let your usual Shoosmiths contact know if you have any queries, or get in touch with one of the data protection team - JP Buckley, Ana Fowle, Sherif Malak and Sarah Tedstone, supported by our team members in our offices around the country. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Fri, 21 Sep 2018 00:00:00 +0100<![CDATA[JP Buckley ]]><![CDATA[ In just a short space of time, the ever-evolving world of data protection and cyber has seen yet more change: Potentially one of the last enforcement actions under the Data Protection Act 1998 against Equifax - and a maximum £500,000 fine for them for failing to secure UK citizens' personal data against breach. This is against the UK part of the organisation but for its failure to secure the data while being held by the US-based group company. News of the first enforcement notice from the ICO against Canada's Aggregate IQ - the organisation that assisted with the profiling and targeting of adverts to gain support for Vote Leave. Interestingly, the notice lists a range of non-compliances including processing without a lawful basis, and failing to provide transparency information to the individuals whose data it was. The notice requires the data processing to be ceased, and it is dated 6 July but was only reported in the media on 20 September. Aggregate IQ have filed a notice to appeal the enforcement notice. We wait to see what happens next. This is, of course, all part of the deeper investigation into political campaigning which has been ongoing with the ICO for some months and has already resulted in fines for Vote Leave itself and Emma's Diary. Brexit - the government published its paper on the no deal implications on data protection. There were two key takeaways - firstly that the UK had hoped an "adequacy decision" from the EU would allow personal data to continue to transfer between the EU and the UK, but that this may not now happen in time; and, secondly, if that is the case, the EU model clauses are intended to be used for data transfers should the adequacy decision not be provided. This may lead to a rush for model clauses as we approach the March date. However, for now it is best to maintain a watching brief as we have heard elsewhere that a separate deal on data protection may be done. We know the ICO is keen to maintain a seat on the European Data Protection Board (EDPB) which replaces the Article 29 Working Party. So what does this all mean? Well, data protection and cyber security is headline news yet again. Coming only a few days after the BA breach and news of a group action on behalf of affected passengers, this will be worrying reading to boards and managers around the country. We would recommend: (a) checking security steps, ensuring your board/managers are briefed on the 5 steps as set out by the National Cyber Security Centre - https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-your-boards-agenda. Avoid single points of failure or human error. (b) Be clear on how and why you collect data, what your legal justification for this is, and how you are clear with individuals as to how their personal data is being used and shared; and (c) Be ready for the implications of Brexit - knowing where personal data is coming from and going to should be clear already in your data inventories/records of processing, but ensuring you know where the contracts are and how they can be updated could be important - let's hope there is a Brexit deal or data protection deal at the least. Do let your usual Shoosmiths contact know if you have any queries, or get in touch with one of the data protection team - JP Buckley, Ana Fowle, Sherif Malak and Sarah Tedstone, supported by our team members in our offices around the country. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{D5A7BDE9-8720-475D-95C4-EFCC221130A9}https://www.shoosmiths.co.uk/client-resources/legal-updates/facebook-fine-from-the-ico-14386.aspxNotification: Facebook - you have a &#163;500,000 fine from the Information Commissioner&#39;s Office Facebook is set to be fined £500,000, the maximum amount possible, for two breaches of the Data Protection Act 1998 (DPA 1998). The facts Due of the timing of the breaches, the ICO was unable to levy the fines introduced by the General Data Protection Regulation (GDPR), which caps fines at the higher level of 20m (EUR) or 4% of annual global group turnover - which in Facebook's case is around $1.9bn. The ICO has stated that the social media giant is in breach of the DPA 1998 for lack of transparency and security issues relating to the harvesting of data. However, although Facebook managed to avoid higher fines, it was unable to escape what The Economist described as a "reputation meltdown". Fake news? The ongoing ICO inquiry has become the largest investigation of its type and involves social media online platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups, and even the operator of a mother and baby website. A key strand of the investigation surrounds the link between Cambridge Analytica, its parent company SCL Elections Limited, and Aggregate IQ. It involves allegations that Facebook data may have been misused in the UK referendum and to target voters during the 2016 American presidential election. The groups 11 political parties have received a warning letter and notices compelling them to agree to audits of their data protection practices. The ICO will also conduct audits of the main credit reference companies and Cambridge University Psychometric Centre. The ICO issued an enforcement notice to SCL Elections Limited requiring them to deal with a subject access request from a Professor Carroll. The ICO is now taking steps to bring a criminal prosecution against SCL Elections Limited for failing to properly deal with the Enforcement Notice issued by the ICO. An enforcement notice has been served on Aggregate IQ to stop processing retained data belonging to UK citizens. The ICO has issued a notice of intent to take regulatory action against data broker Emma's Diary, a data broker website that provides information to new parents. Transparency These organisations fell foul of the first principle of the DPA 1998. There was a lack of transparency from the organisations and a lack of consent from the individuals involved (where required) around how that data was subsequently used by the political parties in their profiling, analytics and targeting. Under the accountability principle laid out in Article 5.2 of the GDPR (the rules which now apply, following 25 May 2018), a data controller "must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject." The rules stipulate that information or communication to data subjects must be concise, transparent, intelligible and easily accessible, and use clear and plain language. This can achieved through a clear and transparent notice or policy which provides data subjects with information such as purposes of processing; categories recipients with whom the data will be shared; the data subject's rights and retention periods. Facing up to data breaches The GDPR introduces a wider definition of a data breach. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This often categories as a loss of confidentiality, integrity or accessibility (CIA). Organisations which are data controllers have a duty to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, organisations which are data controllers must also inform those individuals without undue delay. The ICO has the power to serve enforcement notices and failure to comply could result in imprisonment or fines of the higher values now in the GDPR. How we can help and your action points Our experienced data and privacy team at Shoosmiths can assist with: ensuring your privacy notices reflect what happens in practice with your employees', customers' and contacts' personal data; providing data breach policies and procedures (and indeed other policies and procedures to demonstrate your readiness and compliance); and liaising with the ICO. Please contact either JP Buckley or Andrew Mills with any of your queries. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Mon, 16 Jul 2018 00:00:00 +0100<![CDATA[JP Buckley ]]><![CDATA[ Facebook is set to be fined £500,000, the maximum amount possible, for two breaches of the Data Protection Act 1998 (DPA 1998). The facts Due of the timing of the breaches, the ICO was unable to levy the fines introduced by the General Data Protection Regulation (GDPR), which caps fines at the higher level of 20m (EUR) or 4% of annual global group turnover - which in Facebook's case is around $1.9bn. The ICO has stated that the social media giant is in breach of the DPA 1998 for lack of transparency and security issues relating to the harvesting of data. However, although Facebook managed to avoid higher fines, it was unable to escape what The Economist described as a "reputation meltdown". Fake news? The ongoing ICO inquiry has become the largest investigation of its type and involves social media online platforms, data brokers, analytics firms, academic institutions, political parties and campaign groups, and even the operator of a mother and baby website. A key strand of the investigation surrounds the link between Cambridge Analytica, its parent company SCL Elections Limited, and Aggregate IQ. It involves allegations that Facebook data may have been misused in the UK referendum and to target voters during the 2016 American presidential election. The groups 11 political parties have received a warning letter and notices compelling them to agree to audits of their data protection practices. The ICO will also conduct audits of the main credit reference companies and Cambridge University Psychometric Centre. The ICO issued an enforcement notice to SCL Elections Limited requiring them to deal with a subject access request from a Professor Carroll. The ICO is now taking steps to bring a criminal prosecution against SCL Elections Limited for failing to properly deal with the Enforcement Notice issued by the ICO. An enforcement notice has been served on Aggregate IQ to stop processing retained data belonging to UK citizens. The ICO has issued a notice of intent to take regulatory action against data broker Emma's Diary, a data broker website that provides information to new parents. Transparency These organisations fell foul of the first principle of the DPA 1998. There was a lack of transparency from the organisations and a lack of consent from the individuals involved (where required) around how that data was subsequently used by the political parties in their profiling, analytics and targeting. Under the accountability principle laid out in Article 5.2 of the GDPR (the rules which now apply, following 25 May 2018), a data controller "must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject." The rules stipulate that information or communication to data subjects must be concise, transparent, intelligible and easily accessible, and use clear and plain language. This can achieved through a clear and transparent notice or policy which provides data subjects with information such as purposes of processing; categories recipients with whom the data will be shared; the data subject's rights and retention periods. Facing up to data breaches The GDPR introduces a wider definition of a data breach. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This often categories as a loss of confidentiality, integrity or accessibility (CIA). Organisations which are data controllers have a duty to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, organisations which are data controllers must also inform those individuals without undue delay. The ICO has the power to serve enforcement notices and failure to comply could result in imprisonment or fines of the higher values now in the GDPR. How we can help and your action points Our experienced data and privacy team at Shoosmiths can assist with: ensuring your privacy notices reflect what happens in practice with your employees', customers' and contacts' personal data; providing data breach policies and procedures (and indeed other policies and procedures to demonstrate your readiness and compliance); and liaising with the ICO. Please contact either JP Buckley or Andrew Mills with any of your queries. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{C64CC1DB-A1C1-4596-95D1-08DF1FF4C459}https://www.shoosmiths.co.uk/client-resources/legal-updates/happy-gdpr-day-14157.aspxHappy #GDPRday Well this is the start of the regulated journey to compliance. Much has been achieved in the just over two years since the GDPR was published in the Official Journal of the European Union, but the data protection landscape is an evolving one. Even this week we have seen Royal Assent to the UK's new Data Protection Act 2018, which comes into law today alongside the GDPR. It supplements the GDPR, dealing with UK-specific derogations and additions to make it appropriate for application in the UK. It also deals with intelligence services and law enforcement processing, and gives the ICO additional powers. But much has been said about enforcement. A key principle at the heart of GDPR is providing transparency to "data subjects" - you and I and our customers, contacts and others who we hold personal data about. It's also about being able to demonstrate the steps towards compliance you have taken and keeping records of these. We've been delighted to keep you updated about GDPR through our portal, IHL training sessions, updates and more. If you'd like to receive our GDPR Guidance Tracker which logs the ICO's guidance, European guidance and our articles, simply email jp.buckley@shoosmiths.co.uk and ask to be added to our GDPR Guidance Tracker, or sign up to our firmwide topic-based marketing here (or change your preferences). The GDPR Guidance Tracker will be updated shortly to cover the Data Protection Act 2018 as well. Here are some ways we would like to support you evolving your compliance for the remainder of 2018 and beyond: Resolving the remaining compliance actions you've left until after today - we have template policies and contract documents for example to assist with this; Advising you on breach reporting, and whether the exemptions can be relied upon, or what to say in a breach report; Undertaking periodic reviews or audits of your compliance, and determining appropriate methods for resolving issues identified; Assisting with Data Protection Impact Assessments (for high risk processing) and/or Legitimate Interests Assessments (for when you use legitimate interests as your legal basis for processing personal data); In corporate transactions, checking the data protection status of the target (or preparing the target for sale); Assisting you with updating your Accountability principle documents - to show and record how you comply; Considering your digital media and marketing compliance; and Advising on data subject rights requests, how to handle and resolve these quickly and efficiently. We look forward to doing so. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Fri, 25 May 2018 00:00:00 +0100<![CDATA[JP Buckley ]]><![CDATA[ Well this is the start of the regulated journey to compliance. Much has been achieved in the just over two years since the GDPR was published in the Official Journal of the European Union, but the data protection landscape is an evolving one. Even this week we have seen Royal Assent to the UK's new Data Protection Act 2018, which comes into law today alongside the GDPR. It supplements the GDPR, dealing with UK-specific derogations and additions to make it appropriate for application in the UK. It also deals with intelligence services and law enforcement processing, and gives the ICO additional powers. But much has been said about enforcement. A key principle at the heart of GDPR is providing transparency to "data subjects" - you and I and our customers, contacts and others who we hold personal data about. It's also about being able to demonstrate the steps towards compliance you have taken and keeping records of these. We've been delighted to keep you updated about GDPR through our portal, IHL training sessions, updates and more. If you'd like to receive our GDPR Guidance Tracker which logs the ICO's guidance, European guidance and our articles, simply email jp.buckley@shoosmiths.co.uk and ask to be added to our GDPR Guidance Tracker, or sign up to our firmwide topic-based marketing here (or change your preferences). The GDPR Guidance Tracker will be updated shortly to cover the Data Protection Act 2018 as well. Here are some ways we would like to support you evolving your compliance for the remainder of 2018 and beyond: Resolving the remaining compliance actions you've left until after today - we have template policies and contract documents for example to assist with this; Advising you on breach reporting, and whether the exemptions can be relied upon, or what to say in a breach report; Undertaking periodic reviews or audits of your compliance, and determining appropriate methods for resolving issues identified; Assisting with Data Protection Impact Assessments (for high risk processing) and/or Legitimate Interests Assessments (for when you use legitimate interests as your legal basis for processing personal data); In corporate transactions, checking the data protection status of the target (or preparing the target for sale); Assisting you with updating your Accountability principle documents - to show and record how you comply; Considering your digital media and marketing compliance; and Advising on data subject rights requests, how to handle and resolve these quickly and efficiently. We look forward to doing so. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{AE44C3FC-143C-480B-806F-F96632458E99}https://www.shoosmiths.co.uk/client-resources/legal-updates/consent-progression-legal-bases-processing-14019.aspxConsent: Double-edged sword and the progression towards other legal bases for processing The GDPR sets out six lawful 'bases' for processing, consent being one of them. However, consent has historically been the favoured basis as genuine consent puts individuals in control, building customer trust as well as enhancing your reputation. However, relying on inappropriate consent can be potentially damaging to your reputation, leave you without the ability to use personal data and leaves you exposed to the risk of enforcement action. We have seen a growing appreciation by many clients that past processes for obtaining consents were insufficient, failing to offer individuals a real choice or control over the information they receive and way their data was handled, meaning it was questionable as to whether a truly 'positive opt-in' had taken place. This historical overuse has since been criticised by the ICO who have emphasised the high standard of consent under the GDPR and the record-keeping requirements for a valid consent. The message from the ICO is clear: overuse of consent will not be tolerated under the new GDPR. As such, we expect to see an increase in the current trend of exploring the alternative bases for processing (other than consent). The Data Protection Bill 2018, which is progressing through the House of Commons and currently awaiting a date for the Report Stage, also revises and expands the scope of some of the legal bases. We anticipate, once enacted later in 2018, this will continue to accelerate the trend of moving away from reliance on consent. Why is the lawful basis for processing important? The first GDPR principle requires you to process personal data lawfully, fairly and transparently. Processing is only lawful if one of the six legal bases apply, as provided within Article 6 of the GDPR being: consent, contract with the data subject, legal obligation, vital interests, public task/public interest (which applies to public sector bodies only) and legitimate interests. It is therefore vital you are able to demonstrate and document, the legal basis for processing specific data. The best way do to this is by keeping a complete log of all processing activities (commonly called a record of processing, or data inventory, though simply called "documentation" in the ICO's guidance), and then stating in privacy notices and data protection statements what the legal basis for processing the data is. Without keeping a record you will be in breach of the accountability principle provided within Article 5(2) of the GDPR which requires you (amongst other things) to demonstrate a lawful basis applies. It is therefore insufficient and non-compliant if you seek to later retrospectively apply a basis for processing or even change the basis for processing. For example, if you have historically relied on consent and are now seeking to transition towards legitimate interests, you must ensure the data subject is aware and update your internal records to reflect the change in basis before 25 May 2018. It is also a breach of Article 13 or 14 GDPR not to state the legal basis of processing in the privacy notice. High standard for 'GDPR consent' The ICO guidance on consent provides for a high standard, requiring a very clear and specific statement, forbidding the use of pre-ticked boxes and other default consents. A granular approach is required and as such the use of blanket consent is non-compliant. For example, where consent is contained within other terms and conditions, it is likely this will be deemed insufficient and non-compliant. Ultimately you must ensure explicit consent is freely given, enabling people to have a genuine and ongoing choice and control over how their data is being processed and utilised. Many companies are reviewing and changing their consent processes to ensure a GDPR standard of consent, particularly in the consumer-facing industries and for employers (where consents have traditionally been over-relied on). While this is a vital exercise, it is important to remember that consent is only appropriate if you can offer people a genuine choice and real control over how you utilise and access their data. It is important to consider that it may not always be the most appropriate lawful basis. Would you still process the personal data without consent? The ICO have emphasised that requesting consent from an individual will be considered "misleading and inherently unfair" if the personal data would still be processed on a different lawful basis if consent was either withdrawn or refused. The premise for this being that it presents the individual with a false and dishonest choice. Choosing a legal basis - 'Ordinary' Personal Data The ICO Guidance on the lawful basis for processing has emphasised a 'single-basis approach' will be insufficient for GDPR compliance - i.e. where organisations just say "it's all based on consent". There are multiple factors to consider, including not only the nature of the organisation and data subjects but most importantly the purpose the data is processed when determining the legal basis. For example, consider a university that processes data for both public research and alumni relations purposes. The first is clearly capable of falling within the 'public task' basis and the latter is not and will need to be captured through another basis, such as consent. Note also that certain legal bases of processing do not have some of the data subject rights applied to them - so another good reason why you will want to select the legal basis of processing very carefully. We also need to consider situations where the legal basis may change over time. For example, a bank may first decide to process data on the basis of consent and obtained the appropriate consent. The bank then discovers information that leads them to suspect certain individuals may be involved in fraudulent activities. Should the bank later receive a request from the relevant individuals to remove their data, the bank would then be obligated to continue to hold the data pursuant to the legal obligation basis to ensure they comply with their legal obligations and do not delete any data that may be relevant to future criminal investigations. Choosing a legal basis - 'Sensitive' Personal Data / Special Categories of Personal Data When processing Special Categories of Personal Data (that data which used to be called Sensitive Personal Data) then you have a two-step test to follow. Special Categories of Personal Data are defined within Article 9(1) GDPR and include all personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. These categories of data are more sensitive as this type of data could create increasingly significant risks to an individual's rights and freedoms. The GDPR recognises this and puts additional steps in place for those who need to process personal data to ensure greater protection. In order to lawfully process sensitive data you therefore must: first choose one of the six lawful bases provided within Article 6 GDPR as detailed above; and additionally demonstrate one of the additional basis contained within Article 9(2) of the GDPR applies as follows: explicit consent, compliance with employment laws, vital interests, for the purpose of a not-for profit organisation (excluding the disclosure to third parties), the information being public already, purpose of legal proceedings, purpose of administering justice/ exercising statutory or government functions, for medical purposes or for monitoring quality of opportunities. By way of a practical example, considering the storage of data obtained for the purpose of clinical health trials, which includes data revealing genetics, biometrics or health. While many may utilise the services of a third party to adopt techniques of pseudonymisation to avoid the retention of personal data, the personal data will still need to be processed by the entity who first obtains it. In this instance, we must first utilise one of the six lawful bases and in the clinical trials example this would be consent. Moving onto the additional basis for processing, in this case explicit consent would also need to be obtained. In the case of clinical trials, it might be that the data subject later requests their data be removed. However, if the clinical trial involved, for example, a pregnant woman, it might be that in future either the woman or her future trial may have a claim regarding the clinical trials if they believed some sort of damage was caused. Limitation for any claim brought by the child would not commence until the child turned 18 and in these circumstances the Medical Research Council recommend data be retained for a minimum of 25 years, particularly in high risk trials. This would be covered by the vital interests basis as ultimately if at a later date it transpires there was some sort of danger that wasn't initially known, it is in the participant's vital interests to be notified should there be a potential impact on their health. Practical guidance The ICO have prepared an interactive guidance tool which consists of a stage by stage question and answer process, to assist you with determining which lawful basis is the most appropriate in your precise circumstances. This should be used as appropriate but in addition, we also recommend the following: If you are able to rely on the contract with the data subject, legal obligation or public interest legal bases, our recommendation is to do so as generally the position is clear-cut as to whether you are GDPR compliant, providing you comply with the subsequent accountability requirements; Consent is only to be relied upon in instances where another legal basis does not apply; Where consent is relied upon, both internal and external policies (as well as the consent capture statement) should be reviewed to ensure the high standard GDPR consent is obtained and monitored and they are all consistent; Processing pursuant to the 'vital interests' basis should ideally only be used as a last resort, i.e. where it is necessary to avoid death or serious injury; All records should be kept up to date to reflect the appropriate legal basis relied upon, to ensure compliance with accountability and transparency obligations; and Ensure staff are given appropriate training so they are aware of the legal basis being relied upon and appreciate its importance, and that some data subject rights only apply to certain legal bases of processing. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Thu, 12 Apr 2018 00:00:00 +0100<![CDATA[JP Buckley Katie Simmonds ]]><![CDATA[ The GDPR sets out six lawful 'bases' for processing, consent being one of them. However, consent has historically been the favoured basis as genuine consent puts individuals in control, building customer trust as well as enhancing your reputation. However, relying on inappropriate consent can be potentially damaging to your reputation, leave you without the ability to use personal data and leaves you exposed to the risk of enforcement action. We have seen a growing appreciation by many clients that past processes for obtaining consents were insufficient, failing to offer individuals a real choice or control over the information they receive and way their data was handled, meaning it was questionable as to whether a truly 'positive opt-in' had taken place. This historical overuse has since been criticised by the ICO who have emphasised the high standard of consent under the GDPR and the record-keeping requirements for a valid consent. The message from the ICO is clear: overuse of consent will not be tolerated under the new GDPR. As such, we expect to see an increase in the current trend of exploring the alternative bases for processing (other than consent). The Data Protection Bill 2018, which is progressing through the House of Commons and currently awaiting a date for the Report Stage, also revises and expands the scope of some of the legal bases. We anticipate, once enacted later in 2018, this will continue to accelerate the trend of moving away from reliance on consent. Why is the lawful basis for processing important? The first GDPR principle requires you to process personal data lawfully, fairly and transparently. Processing is only lawful if one of the six legal bases apply, as provided within Article 6 of the GDPR being: consent, contract with the data subject, legal obligation, vital interests, public task/public interest (which applies to public sector bodies only) and legitimate interests. It is therefore vital you are able to demonstrate and document, the legal basis for processing specific data. The best way do to this is by keeping a complete log of all processing activities (commonly called a record of processing, or data inventory, though simply called "documentation" in the ICO's guidance), and then stating in privacy notices and data protection statements what the legal basis for processing the data is. Without keeping a record you will be in breach of the accountability principle provided within Article 5(2) of the GDPR which requires you (amongst other things) to demonstrate a lawful basis applies. It is therefore insufficient and non-compliant if you seek to later retrospectively apply a basis for processing or even change the basis for processing. For example, if you have historically relied on consent and are now seeking to transition towards legitimate interests, you must ensure the data subject is aware and update your internal records to reflect the change in basis before 25 May 2018. It is also a breach of Article 13 or 14 GDPR not to state the legal basis of processing in the privacy notice. High standard for 'GDPR consent' The ICO guidance on consent provides for a high standard, requiring a very clear and specific statement, forbidding the use of pre-ticked boxes and other default consents. A granular approach is required and as such the use of blanket consent is non-compliant. For example, where consent is contained within other terms and conditions, it is likely this will be deemed insufficient and non-compliant. Ultimately you must ensure explicit consent is freely given, enabling people to have a genuine and ongoing choice and control over how their data is being processed and utilised. Many companies are reviewing and changing their consent processes to ensure a GDPR standard of consent, particularly in the consumer-facing industries and for employers (where consents have traditionally been over-relied on). While this is a vital exercise, it is important to remember that consent is only appropriate if you can offer people a genuine choice and real control over how you utilise and access their data. It is important to consider that it may not always be the most appropriate lawful basis. Would you still process the personal data without consent? The ICO have emphasised that requesting consent from an individual will be considered "misleading and inherently unfair" if the personal data would still be processed on a different lawful basis if consent was either withdrawn or refused. The premise for this being that it presents the individual with a false and dishonest choice. Choosing a legal basis - 'Ordinary' Personal Data The ICO Guidance on the lawful basis for processing has emphasised a 'single-basis approach' will be insufficient for GDPR compliance - i.e. where organisations just say "it's all based on consent". There are multiple factors to consider, including not only the nature of the organisation and data subjects but most importantly the purpose the data is processed when determining the legal basis. For example, consider a university that processes data for both public research and alumni relations purposes. The first is clearly capable of falling within the 'public task' basis and the latter is not and will need to be captured through another basis, such as consent. Note also that certain legal bases of processing do not have some of the data subject rights applied to them - so another good reason why you will want to select the legal basis of processing very carefully. We also need to consider situations where the legal basis may change over time. For example, a bank may first decide to process data on the basis of consent and obtained the appropriate consent. The bank then discovers information that leads them to suspect certain individuals may be involved in fraudulent activities. Should the bank later receive a request from the relevant individuals to remove their data, the bank would then be obligated to continue to hold the data pursuant to the legal obligation basis to ensure they comply with their legal obligations and do not delete any data that may be relevant to future criminal investigations. Choosing a legal basis - 'Sensitive' Personal Data / Special Categories of Personal Data When processing Special Categories of Personal Data (that data which used to be called Sensitive Personal Data) then you have a two-step test to follow. Special Categories of Personal Data are defined within Article 9(1) GDPR and include all personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. These categories of data are more sensitive as this type of data could create increasingly significant risks to an individual's rights and freedoms. The GDPR recognises this and puts additional steps in place for those who need to process personal data to ensure greater protection. In order to lawfully process sensitive data you therefore must: first choose one of the six lawful bases provided within Article 6 GDPR as detailed above; and additionally demonstrate one of the additional basis contained within Article 9(2) of the GDPR applies as follows: explicit consent, compliance with employment laws, vital interests, for the purpose of a not-for profit organisation (excluding the disclosure to third parties), the information being public already, purpose of legal proceedings, purpose of administering justice/ exercising statutory or government functions, for medical purposes or for monitoring quality of opportunities. By way of a practical example, considering the storage of data obtained for the purpose of clinical health trials, which includes data revealing genetics, biometrics or health. While many may utilise the services of a third party to adopt techniques of pseudonymisation to avoid the retention of personal data, the personal data will still need to be processed by the entity who first obtains it. In this instance, we must first utilise one of the six lawful bases and in the clinical trials example this would be consent. Moving onto the additional basis for processing, in this case explicit consent would also need to be obtained. In the case of clinical trials, it might be that the data subject later requests their data be removed. However, if the clinical trial involved, for example, a pregnant woman, it might be that in future either the woman or her future trial may have a claim regarding the clinical trials if they believed some sort of damage was caused. Limitation for any claim brought by the child would not commence until the child turned 18 and in these circumstances the Medical Research Council recommend data be retained for a minimum of 25 years, particularly in high risk trials. This would be covered by the vital interests basis as ultimately if at a later date it transpires there was some sort of danger that wasn't initially known, it is in the participant's vital interests to be notified should there be a potential impact on their health. Practical guidance The ICO have prepared an interactive guidance tool which consists of a stage by stage question and answer process, to assist you with determining which lawful basis is the most appropriate in your precise circumstances. This should be used as appropriate but in addition, we also recommend the following: If you are able to rely on the contract with the data subject, legal obligation or public interest legal bases, our recommendation is to do so as generally the position is clear-cut as to whether you are GDPR compliant, providing you comply with the subsequent accountability requirements; Consent is only to be relied upon in instances where another legal basis does not apply; Where consent is relied upon, both internal and external policies (as well as the consent capture statement) should be reviewed to ensure the high standard GDPR consent is obtained and monitored and they are all consistent; Processing pursuant to the 'vital interests' basis should ideally only be used as a last resort, i.e. where it is necessary to avoid death or serious injury; All records should be kept up to date to reflect the appropriate legal basis relied upon, to ensure compliance with accountability and transparency obligations; and Ensure staff are given appropriate training so they are aware of the legal basis being relied upon and appreciate its importance, and that some data subject rights only apply to certain legal bases of processing. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{4EBD6204-8FA6-4FB2-AABD-DD0EB3B67802}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-retention-impact-gdpr-employers-13847.aspxData retention - what impact does the GDPR have for employers? The GDPR will undoubtedly involve a shake-up of the way businesses approach and, crucially, evidence their data protection compliance, not least in terms of how they retain personal data. We consider the implications of GDPR on data retention below. Building on current practice Notwithstanding the plethora of guidance and draft legislation we have seen over many months, it is important that organisations processing personal data bear in mind that the fundamental principles underpinning data protection as set out in the Data Protection Act 1998 (DPA) are in essence repeated in the principles which underpin the GDPR. The fifth data protection principle - data retention The DPA's fifth data protection principle provides that personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose(s). It is therefore incumbent on any data controller and/or processor (including employers) under the existing legislation to be aware of what data it is processing, for what purpose and for how long the organisation reasonably needs to hold that data. The GDPR places a higher evidential burden on data controllers and processors to demonstrate that they have actively engaged with the topic of data retention as well, of course, as increasing the fines to which organisations are exposed for non-compliance. For those employers who have lost sight of the data they hold and why they retain it, it is important that they carry out a data audit and engage with the topic of retention ahead of 25 May. Retention periods There are no hard and fast rules on how long personal data should be retained and so what is appropriate will vary depending on the type of data processed and an employer's own working practices. Looking, for example, at a CV provided by a job candidate. It is likely to be reasonable in the majority of cases for an organisation to rely on performance of a legal obligation/defence of legal claims as a lawful basis for holding that CV for a period of six months following the particular recruitment campaign in which the job candidate took part, as it will form part of the evidence should a legal challenge be brought (taking into account the ACAS early conciliation period and the time limit for issuing of claims in the employment tribunal). However, if, for example, the candidate in question was applying for a graduate role and the organisation operated an annual graduate recruitment cycle, there could be a reasonable case for keeping key information from the CV, such as a summary of skills and contact details, for up to a year. For employees departing the business, there will be details such as their emergency contact and bank account details which should be deleted immediately in most circumstances, as the employer will no longer require that data once the employee leaves and the final salary payment has been made to them. Employers may consider it appropriate to retain other employment data for up to six years to wait out the statutory limitation period for breach of contract claims in England and Wales (for employers in Scotland this would be five years). Thereafter, there is likely to be certain minimum data which an organisation should retain simply for the purpose of being able to provide employment references. There cannot be a one size fits all rule for retention periods, so each organisation will need to consider and identify every type of personal data it retains as well as evidence its own thought process when setting retention periods for that type of data. Documenting data retention As well as updating contracts of employment and data protection policies, employers will need to ensure that they put appropriate privacy notices in place for employees (both current and former), job candidates and the wider workforce, such as volunteers, agency workers and consultants, to include setting out the personal data which the organisation collects, the lawful basis for processing and for how long the relevant category of data is retained. Where an employer is seeking to rely on its legitimate interests to retain data, it will be necessary for an employer to go through an additional assessment exercise in order to balance those interests against the data subject's privacy rights. It may be appropriate, depending on the size of the organisation and complexity of data retention, for the organisation to consider a separate data retention policy, though this is by no means essential if retention can be adequately covered in privacy notices. Any retention policy should identify each type of personal data collected, where it is retained, and the period for which it will be retained. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Tue, 06 Mar 2018 00:00:00 Z<![CDATA[Esther Wilkins Gwynneth Tan ]]><![CDATA[ The GDPR will undoubtedly involve a shake-up of the way businesses approach and, crucially, evidence their data protection compliance, not least in terms of how they retain personal data. We consider the implications of GDPR on data retention below. Building on current practice Notwithstanding the plethora of guidance and draft legislation we have seen over many months, it is important that organisations processing personal data bear in mind that the fundamental principles underpinning data protection as set out in the Data Protection Act 1998 (DPA) are in essence repeated in the principles which underpin the GDPR. The fifth data protection principle - data retention The DPA's fifth data protection principle provides that personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose(s). It is therefore incumbent on any data controller and/or processor (including employers) under the existing legislation to be aware of what data it is processing, for what purpose and for how long the organisation reasonably needs to hold that data. The GDPR places a higher evidential burden on data controllers and processors to demonstrate that they have actively engaged with the topic of data retention as well, of course, as increasing the fines to which organisations are exposed for non-compliance. For those employers who have lost sight of the data they hold and why they retain it, it is important that they carry out a data audit and engage with the topic of retention ahead of 25 May. Retention periods There are no hard and fast rules on how long personal data should be retained and so what is appropriate will vary depending on the type of data processed and an employer's own working practices. Looking, for example, at a CV provided by a job candidate. It is likely to be reasonable in the majority of cases for an organisation to rely on performance of a legal obligation/defence of legal claims as a lawful basis for holding that CV for a period of six months following the particular recruitment campaign in which the job candidate took part, as it will form part of the evidence should a legal challenge be brought (taking into account the ACAS early conciliation period and the time limit for issuing of claims in the employment tribunal). However, if, for example, the candidate in question was applying for a graduate role and the organisation operated an annual graduate recruitment cycle, there could be a reasonable case for keeping key information from the CV, such as a summary of skills and contact details, for up to a year. For employees departing the business, there will be details such as their emergency contact and bank account details which should be deleted immediately in most circumstances, as the employer will no longer require that data once the employee leaves and the final salary payment has been made to them. Employers may consider it appropriate to retain other employment data for up to six years to wait out the statutory limitation period for breach of contract claims in England and Wales (for employers in Scotland this would be five years). Thereafter, there is likely to be certain minimum data which an organisation should retain simply for the purpose of being able to provide employment references. There cannot be a one size fits all rule for retention periods, so each organisation will need to consider and identify every type of personal data it retains as well as evidence its own thought process when setting retention periods for that type of data. Documenting data retention As well as updating contracts of employment and data protection policies, employers will need to ensure that they put appropriate privacy notices in place for employees (both current and former), job candidates and the wider workforce, such as volunteers, agency workers and consultants, to include setting out the personal data which the organisation collects, the lawful basis for processing and for how long the relevant category of data is retained. Where an employer is seeking to rely on its legitimate interests to retain data, it will be necessary for an employer to go through an additional assessment exercise in order to balance those interests against the data subject's privacy rights. It may be appropriate, depending on the size of the organisation and complexity of data retention, for the organisation to consider a separate data retention policy, though this is by no means essential if retention can be adequately covered in privacy notices. Any retention policy should identify each type of personal data collected, where it is retained, and the period for which it will be retained. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{343BDC10-21E8-4BCE-82C7-45CCFF87796C}https://www.shoosmiths.co.uk/client-resources/legal-updates/gdpr-100-days-are-you-ready-13784.aspxGDPR - 100 days and counting: Are you ready? With just 100 days to go until the General Data Protection Regulation (GDPR) comes into force, many employers are still grappling with the requirements of the new regime. What steps should employers be taking to ensure they are ready for 25 May 2018? GDPR Workshop Download our flyer for information on how Shoosmiths can support your HR team with its GDPR preparations. <!-- .whitepaper --> <!-- .ui-form-note --> Complete the form to start your download. First name Last name Email address Phone number Company If you have any questions, you can review our privacy policy for more information. $(document).ready(function () { if ($('#whitepaperdownloadpanel_WhitepaperPanel').is(":visible")) { $('#WhitepaperDownloadPanel').hide(); } }); $('#DownloadBtn').click(function () { $('#whitepaperdownloadpanel_WhitepaperPanel').show(); $('#WhitepaperDownloadPanel').hide(); }); $('#whitepaperdownloadpanel_WhitepaperFormDownloadButton').click(function () { var pagePosition = $(document).scrollTop(); $('#input_position').val(pagePosition); }); $(document).ready(function () { var pagePosition = ''; $(window).scrollTop(pagePosition); }); $('#whitepaperdownloadpanel_WhitepaperFormDownloadButton').click(function () { $('#whitepaperdownloadpanel_WhitePaperButtonPressed').val('true'); }); <!-- .whitepaper-wrapper --> What should employers be considering? The GDPR will bring with it some important changes to data protection law. The GDPR will be supplemented in UK law by the in-draft Data Protection Bill, which is passing through Parliament at present. Organisations need to plan for the implementation of the GDPR and the Data Protection Bill. We have highlighted 12 key steps which employers should be taking now: 1. Lawful basis for processing Consider the current lawful basis relied on for processing employee data and whether this can still be relied upon under the GDPR. Most employers currently rely on employees giving consent to the processing of the data in an employment context by including a clause to that effect in their employment contract. However consent in this context is unlikely to be lawful under the GDPR and therefore employers will need to consider an alternative basis for processing employee data. Employees must be informed of the employer's change in approach to processing their personal data before 25 May. 2. Privacy notices Employers will also be required to inform employees of what data they collect, what lawful basis they rely on for doing so, what the data will be used for, how it will be stored, who will have access to it and for how long it will be kept. All of this information must be set out in a privacy notice. Employers should therefore be preparing appropriate privacy notices for their employees, together with their job applicants, consultants and ex-employees. Employers should carry out an audit process now to properly understand and collate the information they need to communicate meaningful privacy notices. 3. Legitimate interests assessment Where an employer seeks to rely on its legitimate interests as a lawful basis for processing of employee data, it will first need to carry out a legitimate interests assessment to ensure that it has balanced the legitimate interests with the privacy rights and freedoms of the employee and that any processing to be carried out is proportionate in the circumstances. Employers should be completing such assessments now, and including details in their privacy notices, ready for May. 4. Updating policies and procedures The changes under the GDPR and the Data Protection Bill will need to be reflected in an organisation's policies and procedures, most notably any Data Protection policy, IT security policies, disciplinary and grievance procedures and data retention policies. Employers should therefore ensure that such documents are updated in readiness for May. 5. Data cleansing Given that one of the principles under the GDPR is data minimisation, now is a good time for employers to be undertaking a data cleansing exercise, deleting data which is no longer required, such as duplicate copy disciplinary notes or old CVs kept in a manager's drawer 'just in case'. Employers should introduce measures to ensure that employees' details are kept up-to-date and accurate. 6. Review recruitment processes Employers who carry out blanket criminal records checks as part of their recruitment process will need to review such procedures as currently it appears that such checks will not be permissible under the GDPR other than in relation to specific regulated activities. 7. Get ready for DPIAs Any organisations looking to introduce new systems or processes which are likely to be a high risk to the privacy rights of individuals will need to carry out a Data Protection Impact Assessment prior to doing so once the GDPR comes into force. For example, this could apply to employers looking to introduce a new vehicle tracking system, random drug testing or CCTV surveillance. Employers should therefore make sure that they have appropriate forms / guidance notes in place now to support such assessments. 8. Third party providers Where an employer outsources certain functions to a third party provider, such as a payroll provider, then it will be important to review the contractual arrangements in place with those providers. Under GDPR there are certain clauses which have to be included in the contracts and there are also certain provisions, such as indemnities and warranties to cover a data breach by the third party, which are advisable to cover in the contract. 9. Data subject access Data subject rights under the GDPR are enhanced, most notably in relation to data subject access requests. Employers should therefore update their systems and policies to take account of these changes. It is also advisable to have a specific data subject access policy to help employees understand what data subject access requests are and how they will be dealt with by the organisation. It will also be important to consider whether current systems are sufficient to readily identify, locate and supply employee's data in order to enable an organisation to respond to a data subject access request. If not, now is the time to update these systems. 10. Security Reviewing current security measures will also be important, in particular considering who has access to employee data especially health information which is classed as special categories of data under the GDPR. Organisations should ask themselves whether access to this information should be limited, what information should be locked away and what practices should be in place to encrypt and/or password protect information. 11. Training The new regime will require every person within an organisation to understand and comply with data protection obligations. It is therefore essential that employers put in place appropriate training programmes for managers and staff which should be completed prior to May. 12. Record keeping Finally, under the GDPR there is a new accountability principle, which means that organisations must be able to demonstrate compliance with the new regime. Employers will therefore need to ensure that they have appropriate record keeping processes in place. Shoosmiths' GDPR DRIVE In order to help your organisation assess the extent to which it processes personal data in accordance with the current Data Protection Act 1998 and the GDPR we can carry out a detailed audit for you, providing you with a report and working with you in order to agree a tailored service that identifies key risk areas for your organisation and which arms you with the information you need to address any key non-compliance issues so you are ready for 25 May 2018. It will also mean you can optimise your data collection and use to make the most of the data and drive business benefits. For any further information please speak to your usual Shoosmiths contact or visit www.shoosmiths.co.uk/data - We can help you with that. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.Wed, 14 Feb 2018 00:00:00 Z<![CDATA[Antonia Blackwell Gwynneth Tan ]]><![CDATA[ With just 100 days to go until the General Data Protection Regulation (GDPR) comes into force, many employers are still grappling with the requirements of the new regime. What steps should employers be taking to ensure they are ready for 25 May 2018? GDPR Workshop Download our flyer for information on how Shoosmiths can support your HR team with its GDPR preparations. <!-- .whitepaper --> <!-- .ui-form-note --> Complete the form to start your download. First name Last name Email address Phone number Company If you have any questions, you can review our privacy policy for more information. $(document).ready(function () { if ($('#whitepaperdownloadpanel_WhitepaperPanel').is(":visible")) { $('#WhitepaperDownloadPanel').hide(); } }); $('#DownloadBtn').click(function () { $('#whitepaperdownloadpanel_WhitepaperPanel').show(); $('#WhitepaperDownloadPanel').hide(); }); $('#whitepaperdownloadpanel_WhitepaperFormDownloadButton').click(function () { var pagePosition = $(document).scrollTop(); $('#input_position').val(pagePosition); }); $(document).ready(function () { var pagePosition = ''; $(window).scrollTop(pagePosition); }); $('#whitepaperdownloadpanel_WhitepaperFormDownloadButton').click(function () { $('#whitepaperdownloadpanel_WhitePaperButtonPressed').val('true'); }); <!-- .whitepaper-wrapper --> What should employers be considering? The GDPR will bring with it some important changes to data protection law. The GDPR will be supplemented in UK law by the in-draft Data Protection Bill, which is passing through Parliament at present. Organisations need to plan for the implementation of the GDPR and the Data Protection Bill. We have highlighted 12 key steps which employers should be taking now: 1. Lawful basis for processing Consider the current lawful basis relied on for processing employee data and whether this can still be relied upon under the GDPR. Most employers currently rely on employees giving consent to the processing of the data in an employment context by including a clause to that effect in their employment contract. However consent in this context is unlikely to be lawful under the GDPR and therefore employers will need to consider an alternative basis for processing employee data. Employees must be informed of the employer's change in approach to processing their personal data before 25 May. 2. Privacy notices Employers will also be required to inform employees of what data they collect, what lawful basis they rely on for doing so, what the data will be used for, how it will be stored, who will have access to it and for how long it will be kept. All of this information must be set out in a privacy notice. Employers should therefore be preparing appropriate privacy notices for their employees, together with their job applicants, consultants and ex-employees. Employers should carry out an audit process now to properly understand and collate the information they need to communicate meaningful privacy notices. 3. Legitimate interests assessment Where an employer seeks to rely on its legitimate interests as a lawful basis for processing of employee data, it will first need to carry out a legitimate interests assessment to ensure that it has balanced the legitimate interests with the privacy rights and freedoms of the employee and that any processing to be carried out is proportionate in the circumstances. Employers should be completing such assessments now, and including details in their privacy notices, ready for May. 4. Updating policies and procedures The changes under the GDPR and the Data Protection Bill will need to be reflected in an organisation's policies and procedures, most notably any Data Protection policy, IT security policies, disciplinary and grievance procedures and data retention policies. Employers should therefore ensure that such documents are updated in readiness for May. 5. Data cleansing Given that one of the principles under the GDPR is data minimisation, now is a good time for employers to be undertaking a data cleansing exercise, deleting data which is no longer required, such as duplicate copy disciplinary notes or old CVs kept in a manager's drawer 'just in case'. Employers should introduce measures to ensure that employees' details are kept up-to-date and accurate. 6. Review recruitment processes Employers who carry out blanket criminal records checks as part of their recruitment process will need to review such procedures as currently it appears that such checks will not be permissible under the GDPR other than in relation to specific regulated activities. 7. Get ready for DPIAs Any organisations looking to introduce new systems or processes which are likely to be a high risk to the privacy rights of individuals will need to carry out a Data Protection Impact Assessment prior to doing so once the GDPR comes into force. For example, this could apply to employers looking to introduce a new vehicle tracking system, random drug testing or CCTV surveillance. Employers should therefore make sure that they have appropriate forms / guidance notes in place now to support such assessments. 8. Third party providers Where an employer outsources certain functions to a third party provider, such as a payroll provider, then it will be important to review the contractual arrangements in place with those providers. Under GDPR there are certain clauses which have to be included in the contracts and there are also certain provisions, such as indemnities and warranties to cover a data breach by the third party, which are advisable to cover in the contract. 9. Data subject access Data subject rights under the GDPR are enhanced, most notably in relation to data subject access requests. Employers should therefore update their systems and policies to take account of these changes. It is also advisable to have a specific data subject access policy to help employees understand what data subject access requests are and how they will be dealt with by the organisation. It will also be important to consider whether current systems are sufficient to readily identify, locate and supply employee's data in order to enable an organisation to respond to a data subject access request. If not, now is the time to update these systems. 10. Security Reviewing current security measures will also be important, in particular considering who has access to employee data especially health information which is classed as special categories of data under the GDPR. Organisations should ask themselves whether access to this information should be limited, what information should be locked away and what practices should be in place to encrypt and/or password protect information. 11. Training The new regime will require every person within an organisation to understand and comply with data protection obligations. It is therefore essential that employers put in place appropriate training programmes for managers and staff which should be completed prior to May. 12. Record keeping Finally, under the GDPR there is a new accountability principle, which means that organisations must be able to demonstrate compliance with the new regime. Employers will therefore need to ensure that they have appropriate record keeping processes in place. Shoosmiths' GDPR DRIVE In order to help your organisation assess the extent to which it processes personal data in accordance with the current Data Protection Act 1998 and the GDPR we can carry out a detailed audit for you, providing you with a report and working with you in order to agree a tailored service that identifies key risk areas for your organisation and which arms you with the information you need to address any key non-compliance issues so you are ready for 25 May 2018. It will also mean you can optimise your data collection and use to make the most of the data and drive business benefits. For any further information please speak to your usual Shoosmiths contact or visit www.shoosmiths.co.uk/data - We can help you with that. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.]]>{80012463-A474-4697-B501-F6231B9F0903}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-subject-access-requests-access-granted-13636.aspxData subject access requests - Access granted Recent court decisions have highlighted that data subject access requests are no longer simply a tool to check whether data is processed lawfully, but have become a recognised litigation tactic. We consider how employers should respond to this change. Back in 2003, the Court of Appeal in Durant v FSA confirmed that the Data Protection Act (DPA) did not create an automatic right for employees to access all personal data held about them by their employer. Rather, the purpose of the data subject access request (DSAR) was deemed relevant when considering whether or not the employer had to comply with it. However, a number of cases during 2017, a few of which are considered below, have called into question this approach. Dawson-Damer v Taylor Wessing LLP (February 2017) This case concerned the fact that Taylor Wessing had refused to comply with a DSAR citing, among other things, that the individual's real motive in making the DSAR "was to use the information in legal proceedings." and that this was not a proper use of the DPA. The Court of Appeal disagreed with the employer, saying that the motive behind the making of the DSAR is irrelevant to whether or not the employer should comply with it. The individual was entitled to make a DSAR even if the 'collateral purpose' in doing so was to aid litigation. There is nothing in the DPA which limits the purpose of a DSAR or places a requirement on an individual to explain what they want the information for. Ittihadieh v 5-11 Cheyne Gardens/Deer v. University of Oxford (March 2017) These joined cases also confirmed the approach taken in Dawson-Damer, namely that any 'collateral purpose' for making a DSAR is irrelevant in terms of the employer's need to comply with it. Fortunately for employers however, the court in these cases did offer some guidance as to the factors to be taken into account when considering a refusal to comply with a DSAR. In particular, when an employee considers that the employer hasn't properly dealt with a DSAR and asks the court to order compliance, the court should consider the following factors in deciding whether to grant such an order: Is there a more appropriate way of obtaining the information? How serious is the breach by the data controller? Is there an abuse of process? What is the potential benefit to the data subject? Have they already got the information they're requesting? Will the search require 'disproportionate effort'? Disproportionate effort The consideration of 'disproportionate effort' has proved a topic of debate in and of itself. In Holyoake v. Candy (February 2017), the High Court reiterated that the obligation to carry out a search for personal data on receipt of a DSAR is limited to what is 'reasonable and proportionate'. This applies to all stages of the DSAR. Although there is no legal definition of what is reasonable and proportionate and it is determined on a case by case basis, the court has commented that it is very much a balancing exercise between the effort involved in finding and supplying information as against the benefits it might bring to the data subject. Employers should therefore bear this in mind when considering the reasonableness of any DSAR received. What approach has the ICO taken? The ICO seems to have a dim view on employers taking into account the 'relevant factors' (outlined above) when met with a DSAR. This indicates that, regardless of whether any of these relevant factors are present, the ICO will still want to see that a proper effort has been made by an employer to comply with the DSAR. After all, disgruntled employees or ex-employees are more likely to complain to the ICO, which is free, as opposed to commencing litigation which may attract legal costs. Where does this leave employers? Although it may be clear when an employee or ex-employee is submitting a DSAR that it is simply a means of supporting a tribunal or court claim, employers should not treat this as grounds for refusing to comply with the DSAR. On receipt of a DSAR, employers should balance any difficulties involved in complying with the DSAR against the benefits the information might bring to the data subject. By doing this, both the ICO and the court will be much more sympathetic should the employer refuse to comply on grounds of the volume of information sought or other difficulty. Above everything, employers must not simply ignore a DSAR as it is likely to be a one way ticket to a fine or other sanction. General Data Protection Regulation (GDPR) Considerations With the 25 May deadline for GDPR compliance now firmly on employers' minds, dealing with a DSAR under the current DPA may seem like even more of a burden, but they should not be neglected. We have to assume that the GDPR will not wipe the slate clean and that last year's rulings will still apply. The only respite may be that, unlike the DPA, the GDPR offers employers the ability to apply for up to a two- month extension on the one-month compliance requirement, where a DSAR is particularly onerous, which is often the case in the context of employment related requests. The downside is that under GDPR, an employer's response to a DSAR requires more detailed information to be given to the data subject. For more information see our previous article: HR and GDPR: How will data subjects' rights change? ADENDUM: We offer a range of advice on data protection matters including dealing with subject access requests and ensuring you are GDPR compliant. If you would like further information, please visit out dedicated data protection compliance page here. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Wed, 13 Dec 2017 00:00:00 Z<![CDATA[Michael Briggs ]]><![CDATA[ Recent court decisions have highlighted that data subject access requests are no longer simply a tool to check whether data is processed lawfully, but have become a recognised litigation tactic. We consider how employers should respond to this change. Back in 2003, the Court of Appeal in Durant v FSA confirmed that the Data Protection Act (DPA) did not create an automatic right for employees to access all personal data held about them by their employer. Rather, the purpose of the data subject access request (DSAR) was deemed relevant when considering whether or not the employer had to comply with it. However, a number of cases during 2017, a few of which are considered below, have called into question this approach. Dawson-Damer v Taylor Wessing LLP (February 2017) This case concerned the fact that Taylor Wessing had refused to comply with a DSAR citing, among other things, that the individual's real motive in making the DSAR "was to use the information in legal proceedings." and that this was not a proper use of the DPA. The Court of Appeal disagreed with the employer, saying that the motive behind the making of the DSAR is irrelevant to whether or not the employer should comply with it. The individual was entitled to make a DSAR even if the 'collateral purpose' in doing so was to aid litigation. There is nothing in the DPA which limits the purpose of a DSAR or places a requirement on an individual to explain what they want the information for. Ittihadieh v 5-11 Cheyne Gardens/Deer v. University of Oxford (March 2017) These joined cases also confirmed the approach taken in Dawson-Damer, namely that any 'collateral purpose' for making a DSAR is irrelevant in terms of the employer's need to comply with it. Fortunately for employers however, the court in these cases did offer some guidance as to the factors to be taken into account when considering a refusal to comply with a DSAR. In particular, when an employee considers that the employer hasn't properly dealt with a DSAR and asks the court to order compliance, the court should consider the following factors in deciding whether to grant such an order: Is there a more appropriate way of obtaining the information? How serious is the breach by the data controller? Is there an abuse of process? What is the potential benefit to the data subject? Have they already got the information they're requesting? Will the search require 'disproportionate effort'? Disproportionate effort The consideration of 'disproportionate effort' has proved a topic of debate in and of itself. In Holyoake v. Candy (February 2017), the High Court reiterated that the obligation to carry out a search for personal data on receipt of a DSAR is limited to what is 'reasonable and proportionate'. This applies to all stages of the DSAR. Although there is no legal definition of what is reasonable and proportionate and it is determined on a case by case basis, the court has commented that it is very much a balancing exercise between the effort involved in finding and supplying information as against the benefits it might bring to the data subject. Employers should therefore bear this in mind when considering the reasonableness of any DSAR received. What approach has the ICO taken? The ICO seems to have a dim view on employers taking into account the 'relevant factors' (outlined above) when met with a DSAR. This indicates that, regardless of whether any of these relevant factors are present, the ICO will still want to see that a proper effort has been made by an employer to comply with the DSAR. After all, disgruntled employees or ex-employees are more likely to complain to the ICO, which is free, as opposed to commencing litigation which may attract legal costs. Where does this leave employers? Although it may be clear when an employee or ex-employee is submitting a DSAR that it is simply a means of supporting a tribunal or court claim, employers should not treat this as grounds for refusing to comply with the DSAR. On receipt of a DSAR, employers should balance any difficulties involved in complying with the DSAR against the benefits the information might bring to the data subject. By doing this, both the ICO and the court will be much more sympathetic should the employer refuse to comply on grounds of the volume of information sought or other difficulty. Above everything, employers must not simply ignore a DSAR as it is likely to be a one way ticket to a fine or other sanction. General Data Protection Regulation (GDPR) Considerations With the 25 May deadline for GDPR compliance now firmly on employers' minds, dealing with a DSAR under the current DPA may seem like even more of a burden, but they should not be neglected. We have to assume that the GDPR will not wipe the slate clean and that last year's rulings will still apply. The only respite may be that, unlike the DPA, the GDPR offers employers the ability to apply for up to a two- month extension on the one-month compliance requirement, where a DSAR is particularly onerous, which is often the case in the context of employment related requests. The downside is that under GDPR, an employer's response to a DSAR requires more detailed information to be given to the data subject. For more information see our previous article: HR and GDPR: How will data subjects' rights change? ADENDUM: We offer a range of advice on data protection matters including dealing with subject access requests and ensuring you are GDPR compliant. If you would like further information, please visit out dedicated data protection compliance page here. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{5EA97726-893E-423D-AD6A-66D15491CCBD}https://www.shoosmiths.co.uk/client-resources/legal-updates/potential-fine-for-supermarket-data-leak-13603.aspxLiability ruling in UK data leak class action Last week the High Court ruled a large retail company to be vicariously liable for a leak of its employees' data, in the first US-style class action in the UK involving a personal data breach. The data breach, which happened in 2015, was caused by a senior employee of the company. Having a grievance against his employer, he used his position to steal personal data, (including names, addresses, dates of birth, bank account details, salaries and national insurance numbers) of nearly 100,000 of his colleagues. He subsequently published the information on the internet and sent it to a number of newspapers. He was found guilty of fraud in 2015, and was sentenced to eight years in prison. The company acted quickly following the breach to get the data taken down, and spent a considerable sum of money to provide protection for the affected employees. In fact the judge in the case, Langstaff J, agreed that the company was not necessarily at fault in the way it protected the personal data of its employees. However, he did find that the law held the company responsible for the actions of its employee, on the basis the company deliberately entrusted him with access to confidential information (including the leaked payroll data) on a daily basis, and took the risk that they might be wrong in placing trust in him. Langstaff J said in his ruling "There is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by [the company] (albeit it was meant to be to KPMG alone), to make it right for [the company] to be held liable 'under the principle of social justice which can be traced back to Holt CJ'. This conclusion would be the same irrespective of whether a breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence was concerned, for the essential actions constituting a legal wrong in each case were the same." The High Court trial focused only on establishing liability, and the company has already confirmed that it intends to appeal the decision. If the appeal is unsuccessful, a second trial will determine what the company will have to pay in damages. The claimants' lawyers expect that each individual could receive thousands of pounds in compensation. The case has potential implications for every organisation in the country which collects and processes personal data about individuals. The ruling strengthens the position that individuals affected by a data breach may claim compensation for the "upset and distress" caused. In fact, the right for individuals to claim compensation for material and non-material damage (even where little or no financial loss has occurred) is specifically written into the new EU General Data Protection Regulation (GDPR) which will come into force from 25 May 2018. The landmark ruling in this recent case means that we should expect to see more US style class actions against companies following data breaches. Only last week it was reported that Google faces a US style class action by a group calling itself "You owe us Google" who may ultimately act on behalf of up to five million iPhone users alleging that Google bypassed privacy settings to unlawfully collect and use their personal information. Going forward, organisations which collect and use personal data about individuals should: ensure they take data protection seriously, particularly in the light of the forthcoming GDPR which attracts fines of up to #20million (or 4% global turnover), whichever is the higher, as well as compensation claims under individual and class actions. Those have not yet started their GDPR readiness programme should do so as soon as possible (and we can help with this); consider limiting employees' access to personal data about employees, customers and other individuals - particularly where this data is sensitive or involves financial information, or there are concerns about individuals' trustworthiness or are in disciplinary proceedings or similar; ensure they have in place a robust data breach response plan in place to deal with the consequences of a data breach quickly, and limit any financial damage or distress of individuals concerned; and review insurance policies to ensure they will cover liability under any class or collective action, including claims for emotional harm such as distress or hurt feelings. For further advice, please get in touch with your usual contact at Shoosmiths or JP Buckley or Nichola Jenkins as shown. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Tue, 05 Dec 2017 00:00:00 Z<![CDATA[Nichola Jenkins JP Buckley ]]><![CDATA[ Last week the High Court ruled a large retail company to be vicariously liable for a leak of its employees' data, in the first US-style class action in the UK involving a personal data breach. The data breach, which happened in 2015, was caused by a senior employee of the company. Having a grievance against his employer, he used his position to steal personal data, (including names, addresses, dates of birth, bank account details, salaries and national insurance numbers) of nearly 100,000 of his colleagues. He subsequently published the information on the internet and sent it to a number of newspapers. He was found guilty of fraud in 2015, and was sentenced to eight years in prison. The company acted quickly following the breach to get the data taken down, and spent a considerable sum of money to provide protection for the affected employees. In fact the judge in the case, Langstaff J, agreed that the company was not necessarily at fault in the way it protected the personal data of its employees. However, he did find that the law held the company responsible for the actions of its employee, on the basis the company deliberately entrusted him with access to confidential information (including the leaked payroll data) on a daily basis, and took the risk that they might be wrong in placing trust in him. Langstaff J said in his ruling "There is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by [the company] (albeit it was meant to be to KPMG alone), to make it right for [the company] to be held liable 'under the principle of social justice which can be traced back to Holt CJ'. This conclusion would be the same irrespective of whether a breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence was concerned, for the essential actions constituting a legal wrong in each case were the same." The High Court trial focused only on establishing liability, and the company has already confirmed that it intends to appeal the decision. If the appeal is unsuccessful, a second trial will determine what the company will have to pay in damages. The claimants' lawyers expect that each individual could receive thousands of pounds in compensation. The case has potential implications for every organisation in the country which collects and processes personal data about individuals. The ruling strengthens the position that individuals affected by a data breach may claim compensation for the "upset and distress" caused. In fact, the right for individuals to claim compensation for material and non-material damage (even where little or no financial loss has occurred) is specifically written into the new EU General Data Protection Regulation (GDPR) which will come into force from 25 May 2018. The landmark ruling in this recent case means that we should expect to see more US style class actions against companies following data breaches. Only last week it was reported that Google faces a US style class action by a group calling itself "You owe us Google" who may ultimately act on behalf of up to five million iPhone users alleging that Google bypassed privacy settings to unlawfully collect and use their personal information. Going forward, organisations which collect and use personal data about individuals should: ensure they take data protection seriously, particularly in the light of the forthcoming GDPR which attracts fines of up to #20million (or 4% global turnover), whichever is the higher, as well as compensation claims under individual and class actions. Those have not yet started their GDPR readiness programme should do so as soon as possible (and we can help with this); consider limiting employees' access to personal data about employees, customers and other individuals - particularly where this data is sensitive or involves financial information, or there are concerns about individuals' trustworthiness or are in disciplinary proceedings or similar; ensure they have in place a robust data breach response plan in place to deal with the consequences of a data breach quickly, and limit any financial damage or distress of individuals concerned; and review insurance policies to ensure they will cover liability under any class or collective action, including claims for emotional harm such as distress or hurt feelings. For further advice, please get in touch with your usual contact at Shoosmiths or JP Buckley or Nichola Jenkins as shown. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{A0C2249C-A2D5-4550-A1FC-D123EC91F0A3}https://www.shoosmiths.co.uk/client-resources/legal-updates/gdpr-less-than-6-months-left-13579.aspxGDPR - less than 6 months left... With 177 days to go until The General Data Protection Regulation kicks in, what should businesses be doing when faced with this deadline? Set up a clear and responsive Governance Structure. Any change project needs clear governance and GDPR is no different - a clear leader and champions embedded around the business is one way of doing it, but what will work for your organization will depend on how your organization works. Analyse the kinds of personal data you have and what you use it for in a Data Mapping / Data Inventory exercise. You'll no doubt find other things you do that you weren't aware of. 0 This will then inform your Gap Analysis. Analyse your policies, procedures, contracts and the steps you need to take to comply with GDPR. Then you should prioritise these in terms of risk profile. You'll then have a clear Action Plan which you'll need to implement. The Governance Structure will help you with that, and where you're doing a task across teams, make sure they all do it in the same way. Keep track of Other Legislative Changes - GDPR is being supplemented by the draft Data Protection Bill in the UK (becoming a new Data Protection Act once it is law next year) as well as the draft ePrivacy Regulation which will regulate electronic marketing and cookies. Check compliance pre-May. And also ensure you can deliver ongoing compliance to meet the Accountability principle of GDPR - to show how you are compliant as well as being compliant. The scale of the task The GDPR requires combined with the tight deadline presents many issues for businesses to overcome in creating a plan that addresses all relevant aspects. What are the common risks and mitigations for a GDPR plan? "We've got 2,000 contracts which need amending for GDPR". Start with a clear template and instructions, and send a briefing note with the changes to the other party, so they understand why the changes are being made. Shoosmiths offers a contract review and negotiation service. "We've no budget". As well as regulatory fines and potential individual claims, there are benefits too from understanding your data flows - from data optimisation to better marketing to reducing storage or supply chain - all delivering ROI. "I don't know where to start". The key foundations are governance structure and data mapping. Once these are decided then a workable project plan can be created in manageable pieces. "What do I need to include in updated contracts?" GDPR specifies what topics need to go in Controller - Processor contracts. Shoosmiths have a template which has clear guidance as well as the pure drafting. "Our privacy policies need updating - when's the best time to do it?" For rights coming in in May updating of privacy policies should happen once you have the data mapping / inventory in place. "How do I train the business?" Provide training for the review exercise as well as on an ongoing basis. Shoosmiths is developing an e-learning module to help clients with exactly this. We know clients will want our advice and assistance in different ways - so we're happy to help - through from HR audits to policy changes to outsourced contract negotiation to a GDPR readiness plan. Have a look at our portal www.shoosmiths.co.uk/data for further information. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Tue, 28 Nov 2017 00:00:00 Z<![CDATA[JP Buckley ]]><![CDATA[ With 177 days to go until The General Data Protection Regulation kicks in, what should businesses be doing when faced with this deadline? Set up a clear and responsive Governance Structure. Any change project needs clear governance and GDPR is no different - a clear leader and champions embedded around the business is one way of doing it, but what will work for your organization will depend on how your organization works. Analyse the kinds of personal data you have and what you use it for in a Data Mapping / Data Inventory exercise. You'll no doubt find other things you do that you weren't aware of. 0 This will then inform your Gap Analysis. Analyse your policies, procedures, contracts and the steps you need to take to comply with GDPR. Then you should prioritise these in terms of risk profile. You'll then have a clear Action Plan which you'll need to implement. The Governance Structure will help you with that, and where you're doing a task across teams, make sure they all do it in the same way. Keep track of Other Legislative Changes - GDPR is being supplemented by the draft Data Protection Bill in the UK (becoming a new Data Protection Act once it is law next year) as well as the draft ePrivacy Regulation which will regulate electronic marketing and cookies. Check compliance pre-May. And also ensure you can deliver ongoing compliance to meet the Accountability principle of GDPR - to show how you are compliant as well as being compliant. The scale of the task The GDPR requires combined with the tight deadline presents many issues for businesses to overcome in creating a plan that addresses all relevant aspects. What are the common risks and mitigations for a GDPR plan? "We've got 2,000 contracts which need amending for GDPR". Start with a clear template and instructions, and send a briefing note with the changes to the other party, so they understand why the changes are being made. Shoosmiths offers a contract review and negotiation service. "We've no budget". As well as regulatory fines and potential individual claims, there are benefits too from understanding your data flows - from data optimisation to better marketing to reducing storage or supply chain - all delivering ROI. "I don't know where to start". The key foundations are governance structure and data mapping. Once these are decided then a workable project plan can be created in manageable pieces. "What do I need to include in updated contracts?" GDPR specifies what topics need to go in Controller - Processor contracts. Shoosmiths have a template which has clear guidance as well as the pure drafting. "Our privacy policies need updating - when's the best time to do it?" For rights coming in in May updating of privacy policies should happen once you have the data mapping / inventory in place. "How do I train the business?" Provide training for the review exercise as well as on an ongoing basis. Shoosmiths is developing an e-learning module to help clients with exactly this. We know clients will want our advice and assistance in different ways - so we're happy to help - through from HR audits to policy changes to outsourced contract negotiation to a GDPR readiness plan. Have a look at our portal www.shoosmiths.co.uk/data for further information. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{20A240E3-D49B-42A2-8F67-DB8896E71F05}https://www.shoosmiths.co.uk/client-resources/legal-updates/gdpr-general-overview-13282.aspxGDPR - A general overview The General Data Protection Regulation ('GDPR') takes effect from 25 May 2018 and was introduced to further harmonise and modernise data protection procedures. While many of the concepts, obligations and ideas of the existing data protection regime under the Data Protection Act 1998, ('DPA 98') which the GDPR will replace remain the same or similar, there are some significant changes. The topic of data protection generally is a vast one and the purpose of this briefing note is to provide a summarised overview of the key changes to the existing regime. What is new or different? Enforcement - The fines that may be imposed for breaches of the GDPR have been significantly increased depending upon the type of breach, a fine of up to 4% of annual worldwide turnover for the preceding financial year or 20m (EUR) (whichever is the greater). The percentage fine is linked to an 'undertaking' which is phrased around corporate groups. It currently remains a grey area where an Occupational Pension Scheme fits into the undertaking concept and whether the sponsoring employer's group turnover would be factored into any fine relating to such a scheme. Consent - This concept has been restated and revised so that there is now a requirement for demonstrable consent by the individual. Consent in this context means clear affirmative action, and the consent should be informed, specific, unambiguous and given freely. Consent given, for example, in a contract will only be valid for the specific purposes required by the contract. Consent is required for each processing purpose, and explicit consent is still required for sensitive personal data. Individuals have the right to withdraw their consent at any time. Where pension scheme data is held and processed by and/or for trustees, currently it is likely that only implied consent has been given. Trustees will need to consider the basis on which they have consent and take steps to ensure that data subjects' consent satisfies the stricter new requirements. The focus on the need for clear unambiguous and granular consent means it is not an easy route to satisfying the requirement for processing to be lawful and trustees in particular should consider relying on one of the other lawful reasons for processing data, the legitimate interest reason or the statutory compliance reason for auto enrolment purposes. Processing is necessary for the purposes of the legitimate interests of the data controller or the third party to whom the data is disclosed (this must be balanced against the individual's legitimate interests while it is also necessary for compliance with a legal obligation to which the data controller is subject). Accountability, Compliance and Governance - One of the key changes is the enhanced focus on accountability and governance which will require increased awareness of the GDPR requirements. It will be important to understand the impact of the changes and identify the areas of difficulty in compliance. An assessment of the risks of noncompliance includes provisions that promote accountability (monitoring and review) and governance. Data controllers should review what personal data they hold and any parties they share it with. Part of the overall governance focus is covered by the concept of Privacy by Design. This means appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Existing compliance programmes should be reviewed and adapted if necessary. There is also a legal requirement to carry out data protection impact assessments (DPIAs) if there are proposed activities likely to result in a high risk to the rights and freedoms of individuals. What 'high risk' means is not further expanded so it may be difficult to be sure where the line lies. DPIAs will consist of a range of questions on the activity including its objectives and outcomes as well as the scale of the data being processed, whether new data is needed, what protections to privacy are being used and who might be effected and how if that protection fails. Detailed records of data processing must be kept and this will include DPIAs. Enhanced rights of individuals - The rights of individuals as data subjects are strengthened and some new ones have been introduced: Right to be informed - an obligation to provide 'fair processing information' through a privacy notice. There must be transparency on how the information will be used and there is an emphasis on clear, concise notices. The list of information to be provided has been expanded by the GDPR. The time at which it should be made available will depend on when the data is collected. Right of access - individuals must be able to access their data to verify the lawfulness of the processing. They will do this through subject access requests. The key change here is the shortening of the time by which a response is required to one month from 40 days. The right to charge for a response has been removed except in exceptional circumstances. Right of erasure or rectification - in the event of inaccurate or incomplete data. This is expanded to cover more circumstances than before. Right to data portability - individuals may reuse and transfer their personal data for their personal use to another controller without restriction as to usability. This is a new right reflecting the changing technology landscape. Right to object - processing of data is subject to consent and individuals can object to certain types of processing such as direct marketing or processing for research or statistical purposes. Subjects must be given explicit notice of their right to object from the outset. Data Breach notification - A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The GDPR introduces a requirement to notify the relevant supervisory authority of any data breach that is likely to result in a risk to the rights and freedoms of the individual affected. Failure to notify a breach is a breach of the GDPR itself. Where a breach occurs, it must be reported to the relevant supervisory authority without undue delay and within 72 hours of awareness, unless it is unlikely to result in a risk to the individuals. Any delay will need to be justified. Where there is a high risk the notification must be made to the individual as well. In this context 'high risk' for example would mean leaving the data subject open to discrimination, fraud or financial loss. The GDPR sets out the necessary information to be included in a report, including the nature, category and approximate numbers of individuals and personal data records concerned. A robust breach detection process ought to be in place and where working with data processors or joint controllers evidence of their detection and breach management processes should be confirmed, demonstrated and records retained. It may be necessary to agree one shared process in that case or changes to each party's processes to allow them to link up and work together. Territorial Scope - The GDPR extends to the processing of personal data of data subjects in the EU by a controller or a processor who is not established or located in the EU if they offer goods or services to data subjects in the EU or if they monitor the behaviour of data subjects where that behaviour takes place in the EU. Many non-EU businesses not previously covered by the DPA 1998 will now be covered by the GDPR and may need to consider the possibility of having representation or offices inside of the EU to manage their data protection obligations. PREPARING FOR GDPR 2018 For Occupational Pension Scheme trustees the following areas are where their efforts should initially be focused. Data Audit Trustees should carry out an audit of the data that they hold, a data questionnaire is a useful tool. The aim is to map the data and identify current compliance, the role of the trustees and other parties in processing the scheme data so that risk areas can be identified and processes agreed and put in place with the assistance of advisers to ensure demonstrable GDPR compliance. Confirm the lawful basis for your processing Is the basis consent? If so are existing consent forms still fit for purposes or is a full review to meet the upgraded requirement of express, unambiguous and granular consent required. Agreement with the sponsoring employer on what form the consent will take may be required. Alternatively is reliance going to be placed on one of the other acceptable lawful reasons for processing? The basis to apply should be recorded and communicated to the data subjects concerned. See below Information Requirements. Communicating Privacy Information Review the information currently provided (this may be covered by a third party - the data audit will confirm). Ensure it is updated to GDPR levels including covering the basis on which you lawfully process as well as confirmation of the right of the data subject to complain to the Information Commissioners Office and for how long the data will be held. Tools such a Privacy/fair processing notices can be utilised. Data Subject Rights How are the rights of data subjects currently being met and what changes to processes are needed? Particular focus should be on subject access requests (SARs) and how these are met, processes and responsibilities should be clarified and updated and the changed deadlines reflected. Utilise privacy by design by using such features as encryption, anonymisation and pseudonymisation. Liaise with third parties to ensure a joined up approach and clarity on responsibilities. The same actions should be taken in relation to breach notifications and it may be relevant to establish a specific group to deal with breaches and/or SARs. All processes should be recorded and current governance tools such as business plans and risk registers can be used. Mitigate the breach risk by upgrading security features where necessary. Consider trustee meetings and how data is prepared and shared in that context and, particularly where individual trustees are involved, what the retention and destruction policy of such information is. Agree such policies where none exist or are deemed not adequate for GDPR compliance. Third Party Contracts Where data is held or processed by third parties, trustees must review any contracts that are in place to ensure sufficient protection is provided. As contracts will have been drafted without the increased GDPR requirements in mind, it is likely that enhancements will be needed to ensure compliance. However, as data processors can be held directly liable for non-compliance under the GDPR, there should be an appetite for ensuring procedures, contracts and agreements are compliant. Contracts will also need to allow for the provision of data to comply with the tighter subject access request timeframes. Engage with third parties to review contracts and update them, and also to understand their GDPR compliance route. Obtain confirmation of their security features including a cybersecurity statement where available. AND FINALLY.. Whilst there were no surprises under the GDPR it does require a re-think as to how data protection obligations are met and evidenced. Occupational Pension Scheme trustees by and large will be able to rely on and work with their Sponsoring Employer who may be addressing many of these issues as part of their business operations. Wherever possible it is recommended that the parties work together to minimise repetition and to ensure that the data protection offering of both the business and the Pension Scheme are aligned and symbiotic. As an example, there is a requirement for Data Protection Officers where an organisation's core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Accordingly, many Sponsoring Employers may have a Data Protection Officer or may have an appointed employee dealing with data protection matters. It is unlikely that an Occupational Pension Scheme would require a Data Protection Officer but clearly if the Sponsoring Employer has that resource it would be sensible for the trustees to use it. Many of an organisation's existing processes could be fit for purpose, so much of the work may be adapting rather than introducing new processes. The UK's Data Protection Bill was announced in the Queens Speech earlier this year and UK legislation is expected in September 2017. Without the introduction of UK legislation the GDPR will apply in any event from May next year but on exit, from the EU there could be confusion as to the ongoing requirement in relation to data protection. UK legislation will address this and given the Government's statement that it is the intention that the UK 'retains its world class regime protecting personal data', it will do what the GDPR does by incorporating the GDPR into national UK law so that after Brexit the same data protection regime will apply to the UK as applies to the rest of the EU. Through whatever format the obligations apply it is clear that there will be an impact on most organisations and Occupational Pension Schemes, and for trustees the key focus should be to ensure a proportionate, effective and evidenced response that ensures the security and privacy of the data that they control. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.Fri, 08 Sep 2017 00:00:00 +0100<![CDATA[Kunjan Sembhi Heather Chandler ]]><![CDATA[ The General Data Protection Regulation ('GDPR') takes effect from 25 May 2018 and was introduced to further harmonise and modernise data protection procedures. While many of the concepts, obligations and ideas of the existing data protection regime under the Data Protection Act 1998, ('DPA 98') which the GDPR will replace remain the same or similar, there are some significant changes. The topic of data protection generally is a vast one and the purpose of this briefing note is to provide a summarised overview of the key changes to the existing regime. What is new or different? Enforcement - The fines that may be imposed for breaches of the GDPR have been significantly increased depending upon the type of breach, a fine of up to 4% of annual worldwide turnover for the preceding financial year or 20m (EUR) (whichever is the greater). The percentage fine is linked to an 'undertaking' which is phrased around corporate groups. It currently remains a grey area where an Occupational Pension Scheme fits into the undertaking concept and whether the sponsoring employer's group turnover would be factored into any fine relating to such a scheme. Consent - This concept has been restated and revised so that there is now a requirement for demonstrable consent by the individual. Consent in this context means clear affirmative action, and the consent should be informed, specific, unambiguous and given freely. Consent given, for example, in a contract will only be valid for the specific purposes required by the contract. Consent is required for each processing purpose, and explicit consent is still required for sensitive personal data. Individuals have the right to withdraw their consent at any time. Where pension scheme data is held and processed by and/or for trustees, currently it is likely that only implied consent has been given. Trustees will need to consider the basis on which they have consent and take steps to ensure that data subjects' consent satisfies the stricter new requirements. The focus on the need for clear unambiguous and granular consent means it is not an easy route to satisfying the requirement for processing to be lawful and trustees in particular should consider relying on one of the other lawful reasons for processing data, the legitimate interest reason or the statutory compliance reason for auto enrolment purposes. Processing is necessary for the purposes of the legitimate interests of the data controller or the third party to whom the data is disclosed (this must be balanced against the individual's legitimate interests while it is also necessary for compliance with a legal obligation to which the data controller is subject). Accountability, Compliance and Governance - One of the key changes is the enhanced focus on accountability and governance which will require increased awareness of the GDPR requirements. It will be important to understand the impact of the changes and identify the areas of difficulty in compliance. An assessment of the risks of noncompliance includes provisions that promote accountability (monitoring and review) and governance. Data controllers should review what personal data they hold and any parties they share it with. Part of the overall governance focus is covered by the concept of Privacy by Design. This means appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Existing compliance programmes should be reviewed and adapted if necessary. There is also a legal requirement to carry out data protection impact assessments (DPIAs) if there are proposed activities likely to result in a high risk to the rights and freedoms of individuals. What 'high risk' means is not further expanded so it may be difficult to be sure where the line lies. DPIAs will consist of a range of questions on the activity including its objectives and outcomes as well as the scale of the data being processed, whether new data is needed, what protections to privacy are being used and who might be effected and how if that protection fails. Detailed records of data processing must be kept and this will include DPIAs. Enhanced rights of individuals - The rights of individuals as data subjects are strengthened and some new ones have been introduced: Right to be informed - an obligation to provide 'fair processing information' through a privacy notice. There must be transparency on how the information will be used and there is an emphasis on clear, concise notices. The list of information to be provided has been expanded by the GDPR. The time at which it should be made available will depend on when the data is collected. Right of access - individuals must be able to access their data to verify the lawfulness of the processing. They will do this through subject access requests. The key change here is the shortening of the time by which a response is required to one month from 40 days. The right to charge for a response has been removed except in exceptional circumstances. Right of erasure or rectification - in the event of inaccurate or incomplete data. This is expanded to cover more circumstances than before. Right to data portability - individuals may reuse and transfer their personal data for their personal use to another controller without restriction as to usability. This is a new right reflecting the changing technology landscape. Right to object - processing of data is subject to consent and individuals can object to certain types of processing such as direct marketing or processing for research or statistical purposes. Subjects must be given explicit notice of their right to object from the outset. Data Breach notification - A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The GDPR introduces a requirement to notify the relevant supervisory authority of any data breach that is likely to result in a risk to the rights and freedoms of the individual affected. Failure to notify a breach is a breach of the GDPR itself. Where a breach occurs, it must be reported to the relevant supervisory authority without undue delay and within 72 hours of awareness, unless it is unlikely to result in a risk to the individuals. Any delay will need to be justified. Where there is a high risk the notification must be made to the individual as well. In this context 'high risk' for example would mean leaving the data subject open to discrimination, fraud or financial loss. The GDPR sets out the necessary information to be included in a report, including the nature, category and approximate numbers of individuals and personal data records concerned. A robust breach detection process ought to be in place and where working with data processors or joint controllers evidence of their detection and breach management processes should be confirmed, demonstrated and records retained. It may be necessary to agree one shared process in that case or changes to each party's processes to allow them to link up and work together. Territorial Scope - The GDPR extends to the processing of personal data of data subjects in the EU by a controller or a processor who is not established or located in the EU if they offer goods or services to data subjects in the EU or if they monitor the behaviour of data subjects where that behaviour takes place in the EU. Many non-EU businesses not previously covered by the DPA 1998 will now be covered by the GDPR and may need to consider the possibility of having representation or offices inside of the EU to manage their data protection obligations. PREPARING FOR GDPR 2018 For Occupational Pension Scheme trustees the following areas are where their efforts should initially be focused. Data Audit Trustees should carry out an audit of the data that they hold, a data questionnaire is a useful tool. The aim is to map the data and identify current compliance, the role of the trustees and other parties in processing the scheme data so that risk areas can be identified and processes agreed and put in place with the assistance of advisers to ensure demonstrable GDPR compliance. Confirm the lawful basis for your processing Is the basis consent? If so are existing consent forms still fit for purposes or is a full review to meet the upgraded requirement of express, unambiguous and granular consent required. Agreement with the sponsoring employer on what form the consent will take may be required. Alternatively is reliance going to be placed on one of the other acceptable lawful reasons for processing? The basis to apply should be recorded and communicated to the data subjects concerned. See below Information Requirements. Communicating Privacy Information Review the information currently provided (this may be covered by a third party - the data audit will confirm). Ensure it is updated to GDPR levels including covering the basis on which you lawfully process as well as confirmation of the right of the data subject to complain to the Information Commissioners Office and for how long the data will be held. Tools such a Privacy/fair processing notices can be utilised. Data Subject Rights How are the rights of data subjects currently being met and what changes to processes are needed? Particular focus should be on subject access requests (SARs) and how these are met, processes and responsibilities should be clarified and updated and the changed deadlines reflected. Utilise privacy by design by using such features as encryption, anonymisation and pseudonymisation. Liaise with third parties to ensure a joined up approach and clarity on responsibilities. The same actions should be taken in relation to breach notifications and it may be relevant to establish a specific group to deal with breaches and/or SARs. All processes should be recorded and current governance tools such as business plans and risk registers can be used. Mitigate the breach risk by upgrading security features where necessary. Consider trustee meetings and how data is prepared and shared in that context and, particularly where individual trustees are involved, what the retention and destruction policy of such information is. Agree such policies where none exist or are deemed not adequate for GDPR compliance. Third Party Contracts Where data is held or processed by third parties, trustees must review any contracts that are in place to ensure sufficient protection is provided. As contracts will have been drafted without the increased GDPR requirements in mind, it is likely that enhancements will be needed to ensure compliance. However, as data processors can be held directly liable for non-compliance under the GDPR, there should be an appetite for ensuring procedures, contracts and agreements are compliant. Contracts will also need to allow for the provision of data to comply with the tighter subject access request timeframes. Engage with third parties to review contracts and update them, and also to understand their GDPR compliance route. Obtain confirmation of their security features including a cybersecurity statement where available. AND FINALLY.. Whilst there were no surprises under the GDPR it does require a re-think as to how data protection obligations are met and evidenced. Occupational Pension Scheme trustees by and large will be able to rely on and work with their Sponsoring Employer who may be addressing many of these issues as part of their business operations. Wherever possible it is recommended that the parties work together to minimise repetition and to ensure that the data protection offering of both the business and the Pension Scheme are aligned and symbiotic. As an example, there is a requirement for Data Protection Officers where an organisation's core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data. Accordingly, many Sponsoring Employers may have a Data Protection Officer or may have an appointed employee dealing with data protection matters. It is unlikely that an Occupational Pension Scheme would require a Data Protection Officer but clearly if the Sponsoring Employer has that resource it would be sensible for the trustees to use it. Many of an organisation's existing processes could be fit for purpose, so much of the work may be adapting rather than introducing new processes. The UK's Data Protection Bill was announced in the Queens Speech earlier this year and UK legislation is expected in September 2017. Without the introduction of UK legislation the GDPR will apply in any event from May next year but on exit, from the EU there could be confusion as to the ongoing requirement in relation to data protection. UK legislation will address this and given the Government's statement that it is the intention that the UK 'retains its world class regime protecting personal data', it will do what the GDPR does by incorporating the GDPR into national UK law so that after Brexit the same data protection regime will apply to the UK as applies to the rest of the EU. Through whatever format the obligations apply it is clear that there will be an impact on most organisations and Occupational Pension Schemes, and for trustees the key focus should be to ensure a proportionate, effective and evidenced response that ensures the security and privacy of the data that they control. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.]]>{9E1E4413-C176-4B7B-92E7-142FB5B0C264}https://www.shoosmiths.co.uk/news/press-releases/11454.aspxEU Referendum result: Shoosmiths experts comment Shoosmiths' experts in competition, employment, real estate, corporate and commercial comment on the EU referendum result. Competition Law Simon Barnes, head of EU and competition at Shoosmiths The UK's competition laws mirror that of the EU's, therefore the vote to leave should in principle have very little, if any, effect on the competition law assessment of commercial agreements. The leave vote could see changes in how competition law applies to certain types of commercial arrangement, such as distribution and licensing agreements, as the current rules come from the European Commission block exemption regulations and guidelines. These could be discarded now that we have opted out of the EU. Disparities between the UK and EU's competition laws may emerge in the long term when differences in levels of enforcement and court judgements become apparent. Should the EU guidance be repealed, both the lawfulness of commercial arrangements and the compliance to varying rules in different jurisdictions will be a concern for businesses. The EU Merger Regulation will now cease to apply with deals in future potentially having to be reviewed under both the Merger Regulation and the UK's domestic merger rules. Control of State aid can now be retained by the UK, possibly allowing the UK to benefit from public support by way of grants and favourable tax regimes. However, respecting the existing EU rules on this may prove crucial in securing access to the EU single market. Similarly the existing public procurement regime will most likely stay put to promote competitiveness in public tender processes and act as a tool in negotiating single market access. Employment Law Charles Rae, employment partner at Shoosmiths Now that the UK has voted to leave the EU, once Brexit is completed the Government could in theory decide to repeal or revise a significant proportion of the UK's employment laws, where these are laws that are required as part of the UK's membership of the EU. A number of employment laws fall into this category, such as many of the anti-discrimination rights, transfer of undertakings regulations, family leave entitlements, collective consultation obligations, duties to agency workers or working time regulations. However, any kind of wholesale change seems unlikely for a number of reasons. Many of the laws in question have become so ingrained within UK businesses that it seems unlikely the Government would take steps to significantly change or remove them, especially where they provide rights to employees that have become widely accepted and valued. Moreover, much of the UK's employment legislation pre-dates the EU imposed ones, and have instead been built upon by later EU requirements, so the foundations are already in place. For instance, the UK already had race and disability discrimination rules before the EU wide requirements were introduced. Many feel that more likely than repealing laws, the Government would take the opportunity to smooth off some of the less popular requirements set down by the EU, for example restrictions on changing terms and conditions following a TUPE transfer. We may also find that freedom of movement within the EU leaves uncertainty as to the status of EU nationals who already work in the UK (and vice versa). Many businesses rely on EU workers and will want to be satisfied that their right to remain in the UK (and to therefore provide their services) is not going to be adversely affected. Equally, it isn't clear what a Brexit will mean for EU nationals currently working in the UK. Many potential solutions have been mooted, such as a compromise that would see current EU migrants given a set period of time to remain in the UK during which they can apply for citizenship, in return for UK citizens currently abroad to remain where they are on the same basis. Real Estate Simon Boss, real estate partner at Shoosmiths Given that the commercial real estate deals flow has already been impacted by the uncertainty that abounded in the run up to the referendum, we may see some clients putting deals on hold in the wake of the leave result. Equally, we may see some pick up in transactions as some investors look to reduce their exposure to the UK market. For some funds and investors this may present an opportunity to acquire at an attractive price. Since its creation, no Member State has ever left the European Union so we have no clear precedent in regards to what happens next and this is as much the case for the real estate sector as it is for the wider commercial arena. Withdrawal from the EU could have major implications for the construction industry, which is already tackling a labour shortage. Tightened immigration control could now exacerbate this issue, given that a large percentage of EU immigrants work in the construction sector. What many will be waiting most anxiously to determine though is how far foreign investment into British real estate will be impacted by our withdrawal from the EU. Will the position of Britain as a primary choice for commercial real estate investment in Europe suffer? Until some certainty returns to the market, this could well reduce the UK's reputation as a safe haven for real estate investment. Corporate - Private Equity Kieran Toal, corporate partner at Shoosmiths We're now in uncharted waters - no member state has left the EU since its inception and how the economy and UK businesses will fare is hard to predict. However in terms of the Private Equity market, we are dealing with the relative unknown, but investors still need to invest. Admittedly there may be a slow start while buyers take stock but, once the wheels begin to turn, there is a plethora of cash-rich private equity houses with capital to invest and UK businesses with rich growth potential aren't going to lose their appeal overnight. There may well be a shift in focus, with businesses which are particularly reliant on European markets becoming less attractive propositions. But for the most part, likelihood is that the inertia caused by uncertainty over the vote will slowly lift. Commercial - Creative industries Laura Harper, partner in the national Intellectual Property &amp; Creative Industries group and head of the IP &amp; Creative Industries at Shoosmiths I think there is going to be concern and disappointment in the creative industries at this outcome. There are many questions that will have to be answered around funding, free movement of people and collaboration across film, television and the performing arts. Certainly it's no exaggeration to say regulation around Trade Mark protection is going to need redrafting creating uncertainty for companies here and abroad who own EU Trade Marks. The 'out' vote means there is going to have to be a transitional period where companies who have an EU Trade Mark will potentially lose protection in the UK and they will need to audit their TM portfolios to identify the areas which will require attention to ensure they apply for the necessary national coverage. As legal advisers we will provide advice on the basis that UK protection under EU trade marks will be eventually lost until we receive clarity on the transitional provisions to ensure that our clients' interests are fully protected. The patent system has taken decades to negotiate - the Unified Patent and Unified Patent Court was due to be implemented in 2017. With this vote this will probably be delayed and add an extra layer of process to the new Unified Patent and Court procedure.Fri, 24 Jun 2016 00:00:00 +0100<![CDATA[ Shoosmiths' experts in competition, employment, real estate, corporate and commercial comment on the EU referendum result. Competition Law Simon Barnes, head of EU and competition at Shoosmiths The UK's competition laws mirror that of the EU's, therefore the vote to leave should in principle have very little, if any, effect on the competition law assessment of commercial agreements. The leave vote could see changes in how competition law applies to certain types of commercial arrangement, such as distribution and licensing agreements, as the current rules come from the European Commission block exemption regulations and guidelines. These could be discarded now that we have opted out of the EU. Disparities between the UK and EU's competition laws may emerge in the long term when differences in levels of enforcement and court judgements become apparent. Should the EU guidance be repealed, both the lawfulness of commercial arrangements and the compliance to varying rules in different jurisdictions will be a concern for businesses. The EU Merger Regulation will now cease to apply with deals in future potentially having to be reviewed under both the Merger Regulation and the UK's domestic merger rules. Control of State aid can now be retained by the UK, possibly allowing the UK to benefit from public support by way of grants and favourable tax regimes. However, respecting the existing EU rules on this may prove crucial in securing access to the EU single market. Similarly the existing public procurement regime will most likely stay put to promote competitiveness in public tender processes and act as a tool in negotiating single market access. Employment Law Charles Rae, employment partner at Shoosmiths Now that the UK has voted to leave the EU, once Brexit is completed the Government could in theory decide to repeal or revise a significant proportion of the UK's employment laws, where these are laws that are required as part of the UK's membership of the EU. A number of employment laws fall into this category, such as many of the anti-discrimination rights, transfer of undertakings regulations, family leave entitlements, collective consultation obligations, duties to agency workers or working time regulations. However, any kind of wholesale change seems unlikely for a number of reasons. Many of the laws in question have become so ingrained within UK businesses that it seems unlikely the Government would take steps to significantly change or remove them, especially where they provide rights to employees that have become widely accepted and valued. Moreover, much of the UK's employment legislation pre-dates the EU imposed ones, and have instead been built upon by later EU requirements, so the foundations are already in place. For instance, the UK already had race and disability discrimination rules before the EU wide requirements were introduced. Many feel that more likely than repealing laws, the Government would take the opportunity to smooth off some of the less popular requirements set down by the EU, for example restrictions on changing terms and conditions following a TUPE transfer. We may also find that freedom of movement within the EU leaves uncertainty as to the status of EU nationals who already work in the UK (and vice versa). Many businesses rely on EU workers and will want to be satisfied that their right to remain in the UK (and to therefore provide their services) is not going to be adversely affected. Equally, it isn't clear what a Brexit will mean for EU nationals currently working in the UK. Many potential solutions have been mooted, such as a compromise that would see current EU migrants given a set period of time to remain in the UK during which they can apply for citizenship, in return for UK citizens currently abroad to remain where they are on the same basis. Real Estate Simon Boss, real estate partner at Shoosmiths Given that the commercial real estate deals flow has already been impacted by the uncertainty that abounded in the run up to the referendum, we may see some clients putting deals on hold in the wake of the leave result. Equally, we may see some pick up in transactions as some investors look to reduce their exposure to the UK market. For some funds and investors this may present an opportunity to acquire at an attractive price. Since its creation, no Member State has ever left the European Union so we have no clear precedent in regards to what happens next and this is as much the case for the real estate sector as it is for the wider commercial arena. Withdrawal from the EU could have major implications for the construction industry, which is already tackling a labour shortage. Tightened immigration control could now exacerbate this issue, given that a large percentage of EU immigrants work in the construction sector. What many will be waiting most anxiously to determine though is how far foreign investment into British real estate will be impacted by our withdrawal from the EU. Will the position of Britain as a primary choice for commercial real estate investment in Europe suffer? Until some certainty returns to the market, this could well reduce the UK's reputation as a safe haven for real estate investment. Corporate - Private Equity Kieran Toal, corporate partner at Shoosmiths We're now in uncharted waters - no member state has left the EU since its inception and how the economy and UK businesses will fare is hard to predict. However in terms of the Private Equity market, we are dealing with the relative unknown, but investors still need to invest. Admittedly there may be a slow start while buyers take stock but, once the wheels begin to turn, there is a plethora of cash-rich private equity houses with capital to invest and UK businesses with rich growth potential aren't going to lose their appeal overnight. There may well be a shift in focus, with businesses which are particularly reliant on European markets becoming less attractive propositions. But for the most part, likelihood is that the inertia caused by uncertainty over the vote will slowly lift. Commercial - Creative industries Laura Harper, partner in the national Intellectual Property &amp; Creative Industries group and head of the IP &amp; Creative Industries at Shoosmiths I think there is going to be concern and disappointment in the creative industries at this outcome. There are many questions that will have to be answered around funding, free movement of people and collaboration across film, television and the performing arts. Certainly it's no exaggeration to say regulation around Trade Mark protection is going to need redrafting creating uncertainty for companies here and abroad who own EU Trade Marks. The 'out' vote means there is going to have to be a transitional period where companies who have an EU Trade Mark will potentially lose protection in the UK and they will need to audit their TM portfolios to identify the areas which will require attention to ensure they apply for the necessary national coverage. As legal advisers we will provide advice on the basis that UK protection under EU trade marks will be eventually lost until we receive clarity on the transitional provisions to ensure that our clients' interests are fully protected. The patent system has taken decades to negotiate - the Unified Patent and Unified Patent Court was due to be implemented in 2017. With this vote this will probably be delayed and add an extra layer of process to the new Unified Patent and Court procedure.]]>{BA4CAAE3-0133-46E5-B526-6D454B091AC8}https://www.shoosmiths.co.uk/client-resources/legal-updates/new-eu-data-protection-regulation-approved-11202.aspxNew EU Data Protection Regulation: New Regulation Approved It has taken a lengthy legislative process but on 14 April 2016 the European Parliament voted to replace the existing EU Data Protection Directive with the General Data Protection Regulation; a significant landmark in data protection legislation. In our recent article we explored the seven key areas of change that Regulation will bring about; replacing entirely the Data Protection Act 1998 (the DPA). Alongside the Regulation a new Data Protection Directive (the Directive) for the police and criminal justice sector has been approved providing minimum standards for police and judicial use of data. What happens now? Due to its statutory form the Regulation will not need to be implemented into national law, rather it will have direct effect; applying consistently to all data controllers and data processors - whether in the public or private sphere - within the European Union, automatically overriding any conflicting national legislation. Whilst there is still time before the Regulation comes into force on 2018, all data controllers need to be taking action now to prepare themselves for compliance. Those data controllers who are not compliant with the current DPA (including transfers to the US following the recent decision regarding the Safe Harbor scheme) will find themselves with much more work to do during this time. The Information Commissioners Office (the ICO) has issued helpful guidance for data controllers in the UK, however organisations who do not already have a good understanding of their data flows and processing will need to make this a priority before they are able to take steps towards compliance. Those organisations who have not actively addressed data protection compliance should be mindful of the emphasis under the Regulation of the protection of individuals' rights and control over their data as well as the greater level sanctions and fines to be introduced. Further it is important to bear in mind that recent well publicised data protection leaks and high profile cases have increased individuals' understanding and appreciation of data protection and how their data should be handled. Once the Regulation has been translated it will enter force 20 days after it is published in the EU Official Journal. Two years after this date the Regulation will be directly applicable to all member states and all data controllers and processors will need to be compliant with it. Member states will have two years to transpose the Directive into national law. However as the UK and Ireland have special status concerning justice and home affairs there will be a limit on the applicability of the Directive in those jurisdictions. Should you have any concerns about your organisations' current level of data protection compliance, please do not hesitate to contact us. Fri, 15 Apr 2016 00:00:00 +0100<![CDATA[Anastasia Fowle ]]><![CDATA[ It has taken a lengthy legislative process but on 14 April 2016 the European Parliament voted to replace the existing EU Data Protection Directive with the General Data Protection Regulation; a significant landmark in data protection legislation. In our recent article we explored the seven key areas of change that Regulation will bring about; replacing entirely the Data Protection Act 1998 (the DPA). Alongside the Regulation a new Data Protection Directive (the Directive) for the police and criminal justice sector has been approved providing minimum standards for police and judicial use of data. What happens now? Due to its statutory form the Regulation will not need to be implemented into national law, rather it will have direct effect; applying consistently to all data controllers and data processors - whether in the public or private sphere - within the European Union, automatically overriding any conflicting national legislation. Whilst there is still time before the Regulation comes into force on 2018, all data controllers need to be taking action now to prepare themselves for compliance. Those data controllers who are not compliant with the current DPA (including transfers to the US following the recent decision regarding the Safe Harbor scheme) will find themselves with much more work to do during this time. The Information Commissioners Office (the ICO) has issued helpful guidance for data controllers in the UK, however organisations who do not already have a good understanding of their data flows and processing will need to make this a priority before they are able to take steps towards compliance. Those organisations who have not actively addressed data protection compliance should be mindful of the emphasis under the Regulation of the protection of individuals' rights and control over their data as well as the greater level sanctions and fines to be introduced. Further it is important to bear in mind that recent well publicised data protection leaks and high profile cases have increased individuals' understanding and appreciation of data protection and how their data should be handled. Once the Regulation has been translated it will enter force 20 days after it is published in the EU Official Journal. Two years after this date the Regulation will be directly applicable to all member states and all data controllers and processors will need to be compliant with it. Member states will have two years to transpose the Directive into national law. However as the UK and Ireland have special status concerning justice and home affairs there will be a limit on the applicability of the Directive in those jurisdictions. Should you have any concerns about your organisations' current level of data protection compliance, please do not hesitate to contact us. ]]>{D1960109-7BBA-4279-AA2E-E2A4727DCBBD}https://www.shoosmiths.co.uk/client-resources/legal-updates/compliance-in-a-new-privacy-landscape-11155.aspxNew EU data protection regulation: compliance in an evolving privacy landscape Some four years in the making, the General Data Protection Regulation (the Regulation) is now in an agreed form pending formal ratification by the EU. In this article, we examine seven key areas of change which the Regulation will bring and consider what action your organisation should be taking now to ensure that it is ready when the legislation takes effect. A changing landscape Whilst implementation of the Regulation is still over two years away, the road to compliance is likely to be a long one for many organisations. The Regulation represents a significant strengthening of European data protection legislation, both in terms of obligations imposed on organisations and in terms of the rights granted to individuals. It will replace the Data Protection Act 1998 (the Act) in the UK, which has been in force for over 15 years. The Regulation comes after a significant year in the data protection sphere. From dating sites to healthcare providers and telecommunications companies, the last 12 months have seen both the severity and profile of data security breaches increase significantly. In addition, a ground-breaking decision in October 2015 rendered the Safe Harbor scheme ineffective, which many companies previously relied upon for the transfers of personal data to the US. (To read more about the consequences of the Safe Harbor decision click here.) Seven key changes under the Regulation The Regulation will have a significant impact on many areas of data protection compliance. By way of summary, here are the key changes to be aware of. 1. Fines of 20 million Euros or more The Regulation will introduce a significant increase in the sanctions available to regulators in the event of a breach. The level of potential fine available for any breach will depend on the nature of the breach, but with fines of up to 20 million Euro or 4% of global annual turnover available (whichever is the greater), this change alone should be enough to encourage organisations to take stock of current levels of data protection compliance, as data protection compliance will soon become a key governance issue. 2. Mandatory notification of a breach within 72 hours The Regulation will make it mandatory for organisations to notify the relevant data protection authority without undue delay and in any event within 72 hours of the discovery of a data breach (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals). Currently, organisations are not required to report a breach. Whilst there is a presumption that organisations should currently notify the Regulator if the breach is sufficiently 'serious', this is not compulsory. In addition, organisations will be required to notify data subjects affected by a breach 'without undue delay' where the breach is likely to result in a high risk for the rights and freedoms of individuals. Finally, data processors are bound by the Regulation as well, and they too must report breaches but to data controllers, again without undue delay. 3. Rights of data subjects The Regulation goes to great lengths to ensure that individuals are in control in relation to the processing of their personal data. This is evidenced by the introduction of two rights, firstly, the new 'right to be forgotten / right to erasure' and secondly, the 'right to data portability'. The first of these permits individuals to demand erasure of their personal data under certain circumstances (e.g. following withdrawal of consent to processing and where there is no other legal grounds for the processing of that data). The second obliges organisations to ensure any data supplied to an individual in response to a request is supplied in a structured, commonly used and machine-readable format which allows the data to be transferred to another organisation 'without hindrance'. 4. Stricter consent requirements The Regulation still provides that consent to process personal data must be 'freely given, specific and informed'. However, there is now an additional requirement that consent is "unambiguous" and must involve a clear affirmative action signifying consent to the processing. Silence or inactivity is therefore not sufficient. In addition, the purposes for which personal data is processed must be specified, explicit and legitimate. This change of emphasis clearly demonstrates the move towards greater transparency. It will have clear implications in an HR context, where the employer/employee relationship is not seen to be one in which consent can be "freely given". Other legal bases of processing will be required. 5. Obligation to appoint a Data Protection Officer Currently it is not compulsory for organisations to appoint a Data Protection Officer (DPO). However, under the new legislation the following types of organisations must do so: public authorities organisations whose 'core activities' consist of 'systematic monitoring' of data subjects on a large scale; and organisations whose core activities consist of processing 'special categories' of data on a large scale. The definition of "special categories" is similar (although not identical) to the definition of 'sensitive personal data' under the Act, and includes personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (new), biometric data (new), health, sex life and/or sexual orientation. The DPO will be responsible for the organisation's compliance with the Regulation and will be the first point of contact in the event of an investigation by the Information Commissioner's Office ('ICO'). The appointed DPO must have sufficient expert knowledge in relation to data protection compliance and report directly to the highest management level, a significant change from now. 6. Broader Scope The Regulation broadens the scope of EU Data Protection legislation in two key ways. Firstly, in addition to EU entities, the Regulation applies to organisations based outside of the EU who target EU customers. This presents a potential compliance nightmare for many non- EU organisations. How this aspect of the Regulation would be enforced in practice is yet to be seen. Secondly, whereas the Act applies only to 'data controllers' some key aspects of the Regulation will also apply to EU 'data processors'. A data processor is an entity which processes personal data on behalf of a data controller, but does not determine the purposes and means of processing personal data. For example, if an organisation outsources services such as IT or payroll to a separate entity, that entity would be a data processor. Currently, all responsibility under the Act stays with the data controller even when personal data is transferred to a data processor. While this change may give some comfort to data controllers who outsource the processing of personal data to data processors, it will be of concern for many data processors, and risk management and contract negotiations are likely to be more actively pursued than previously. 7. A pro-active approach to privacy The Regulation requires organisations to take a pro-active, as opposed to a reactive, approach to privacy. In particular, data protection 'by design and default' will become the norm, as organisations will need to consider privacy implications at all stages of a project and must keep this under continual review. In particular, all organisations will be required to complete 'Data Protection Impact Assessments' (DPIAs) if and when they engage in processing or embark on projects which present a high degree of risk in relation to personal data. In addition, organisations with over 250 employees will now be required to maintain accurate records of data processing activities. So, what should you be doing to prepare for these changes? Here are some suggestions of what you should be considering now to ensure that your organisation is ready when the Regulation comes into force: Do you have policies and procedures in place which would ensure that a breach could be quickly and readily identified, contained and remedied? Do these policies go far enough to enable you (if a data controller) to notify the ICO within 72 hours (or if you're a data processor, to notify the controller without undue delay)? If not, these will need to be updated. Are your fair processing notices and privacy policies clear and comprehensive - do they allow for 'unambiguous' consent and make 'explicit' the purposes for which data is processed (as opposed to pre-ticked boxes or silence as a form of acceptance)? If not, these will need to be reviewed. Have you appointed a DPO who is appropriately trained and experienced in relation to data protection compliance? If not, who is the most appropriate person to take on this responsibility or will you need to recruit? If you currently process personal data on behalf of other organisations, are you comfortable that you will be able to comply with the requirements of the Regulation? Indeed, are you aware of what these requirements are? If not, do you need to seek advice in order to ensure that you are adequately informed of what these changes will mean for your organisation Do you have systems in place which would facilitate the deletion of data on request and where required, to provide data in a readily accessible, structured, commonly used and machine-readable format? If not, you may need to engage with the IT team to find out what charges will need to be implemented to address this Do you keep detailed records of how personal data is processed by the business? If not, who will be responsible for this and how will it be achieved in practice? Do you complete DPIAs before embarking on a project which involves the processing of personal data and could impact on the privacy rights of individuals? If not, what processes need to be put in place to ensure that all such projects are brought to your attention in order to ensure that a DPIA is conducted in every instance? Are group companies who are based outside of the EU aware of their obligations under the Regulation if they target EU customers? If not, it would be prudent to liaise with such group companies in order to ensure that they are not kept in the dark. And finally... On a sobering note, with fines under the Regulation capped at a staggering 20 million Euros (or 4% of global group turnover, if higher) for a single breach, it is worth considering whether or not you are currently satisfied with your organisation's level of compliance? If not, urgent action is required if your organisation is to be ready for the much more demanding obligations which will be imposed under the Regulation. We can help you with that. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Mon, 04 Apr 2016 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ Some four years in the making, the General Data Protection Regulation (the Regulation) is now in an agreed form pending formal ratification by the EU. In this article, we examine seven key areas of change which the Regulation will bring and consider what action your organisation should be taking now to ensure that it is ready when the legislation takes effect. A changing landscape Whilst implementation of the Regulation is still over two years away, the road to compliance is likely to be a long one for many organisations. The Regulation represents a significant strengthening of European data protection legislation, both in terms of obligations imposed on organisations and in terms of the rights granted to individuals. It will replace the Data Protection Act 1998 (the Act) in the UK, which has been in force for over 15 years. The Regulation comes after a significant year in the data protection sphere. From dating sites to healthcare providers and telecommunications companies, the last 12 months have seen both the severity and profile of data security breaches increase significantly. In addition, a ground-breaking decision in October 2015 rendered the Safe Harbor scheme ineffective, which many companies previously relied upon for the transfers of personal data to the US. (To read more about the consequences of the Safe Harbor decision click here.) Seven key changes under the Regulation The Regulation will have a significant impact on many areas of data protection compliance. By way of summary, here are the key changes to be aware of. 1. Fines of 20 million Euros or more The Regulation will introduce a significant increase in the sanctions available to regulators in the event of a breach. The level of potential fine available for any breach will depend on the nature of the breach, but with fines of up to 20 million Euro or 4% of global annual turnover available (whichever is the greater), this change alone should be enough to encourage organisations to take stock of current levels of data protection compliance, as data protection compliance will soon become a key governance issue. 2. Mandatory notification of a breach within 72 hours The Regulation will make it mandatory for organisations to notify the relevant data protection authority without undue delay and in any event within 72 hours of the discovery of a data breach (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals). Currently, organisations are not required to report a breach. Whilst there is a presumption that organisations should currently notify the Regulator if the breach is sufficiently 'serious', this is not compulsory. In addition, organisations will be required to notify data subjects affected by a breach 'without undue delay' where the breach is likely to result in a high risk for the rights and freedoms of individuals. Finally, data processors are bound by the Regulation as well, and they too must report breaches but to data controllers, again without undue delay. 3. Rights of data subjects The Regulation goes to great lengths to ensure that individuals are in control in relation to the processing of their personal data. This is evidenced by the introduction of two rights, firstly, the new 'right to be forgotten / right to erasure' and secondly, the 'right to data portability'. The first of these permits individuals to demand erasure of their personal data under certain circumstances (e.g. following withdrawal of consent to processing and where there is no other legal grounds for the processing of that data). The second obliges organisations to ensure any data supplied to an individual in response to a request is supplied in a structured, commonly used and machine-readable format which allows the data to be transferred to another organisation 'without hindrance'. 4. Stricter consent requirements The Regulation still provides that consent to process personal data must be 'freely given, specific and informed'. However, there is now an additional requirement that consent is "unambiguous" and must involve a clear affirmative action signifying consent to the processing. Silence or inactivity is therefore not sufficient. In addition, the purposes for which personal data is processed must be specified, explicit and legitimate. This change of emphasis clearly demonstrates the move towards greater transparency. It will have clear implications in an HR context, where the employer/employee relationship is not seen to be one in which consent can be "freely given". Other legal bases of processing will be required. 5. Obligation to appoint a Data Protection Officer Currently it is not compulsory for organisations to appoint a Data Protection Officer (DPO). However, under the new legislation the following types of organisations must do so: public authorities organisations whose 'core activities' consist of 'systematic monitoring' of data subjects on a large scale; and organisations whose core activities consist of processing 'special categories' of data on a large scale. The definition of "special categories" is similar (although not identical) to the definition of 'sensitive personal data' under the Act, and includes personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (new), biometric data (new), health, sex life and/or sexual orientation. The DPO will be responsible for the organisation's compliance with the Regulation and will be the first point of contact in the event of an investigation by the Information Commissioner's Office ('ICO'). The appointed DPO must have sufficient expert knowledge in relation to data protection compliance and report directly to the highest management level, a significant change from now. 6. Broader Scope The Regulation broadens the scope of EU Data Protection legislation in two key ways. Firstly, in addition to EU entities, the Regulation applies to organisations based outside of the EU who target EU customers. This presents a potential compliance nightmare for many non- EU organisations. How this aspect of the Regulation would be enforced in practice is yet to be seen. Secondly, whereas the Act applies only to 'data controllers' some key aspects of the Regulation will also apply to EU 'data processors'. A data processor is an entity which processes personal data on behalf of a data controller, but does not determine the purposes and means of processing personal data. For example, if an organisation outsources services such as IT or payroll to a separate entity, that entity would be a data processor. Currently, all responsibility under the Act stays with the data controller even when personal data is transferred to a data processor. While this change may give some comfort to data controllers who outsource the processing of personal data to data processors, it will be of concern for many data processors, and risk management and contract negotiations are likely to be more actively pursued than previously. 7. A pro-active approach to privacy The Regulation requires organisations to take a pro-active, as opposed to a reactive, approach to privacy. In particular, data protection 'by design and default' will become the norm, as organisations will need to consider privacy implications at all stages of a project and must keep this under continual review. In particular, all organisations will be required to complete 'Data Protection Impact Assessments' (DPIAs) if and when they engage in processing or embark on projects which present a high degree of risk in relation to personal data. In addition, organisations with over 250 employees will now be required to maintain accurate records of data processing activities. So, what should you be doing to prepare for these changes? Here are some suggestions of what you should be considering now to ensure that your organisation is ready when the Regulation comes into force: Do you have policies and procedures in place which would ensure that a breach could be quickly and readily identified, contained and remedied? Do these policies go far enough to enable you (if a data controller) to notify the ICO within 72 hours (or if you're a data processor, to notify the controller without undue delay)? If not, these will need to be updated. Are your fair processing notices and privacy policies clear and comprehensive - do they allow for 'unambiguous' consent and make 'explicit' the purposes for which data is processed (as opposed to pre-ticked boxes or silence as a form of acceptance)? If not, these will need to be reviewed. Have you appointed a DPO who is appropriately trained and experienced in relation to data protection compliance? If not, who is the most appropriate person to take on this responsibility or will you need to recruit? If you currently process personal data on behalf of other organisations, are you comfortable that you will be able to comply with the requirements of the Regulation? Indeed, are you aware of what these requirements are? If not, do you need to seek advice in order to ensure that you are adequately informed of what these changes will mean for your organisation Do you have systems in place which would facilitate the deletion of data on request and where required, to provide data in a readily accessible, structured, commonly used and machine-readable format? If not, you may need to engage with the IT team to find out what charges will need to be implemented to address this Do you keep detailed records of how personal data is processed by the business? If not, who will be responsible for this and how will it be achieved in practice? Do you complete DPIAs before embarking on a project which involves the processing of personal data and could impact on the privacy rights of individuals? If not, what processes need to be put in place to ensure that all such projects are brought to your attention in order to ensure that a DPIA is conducted in every instance? Are group companies who are based outside of the EU aware of their obligations under the Regulation if they target EU customers? If not, it would be prudent to liaise with such group companies in order to ensure that they are not kept in the dark. And finally... On a sobering note, with fines under the Regulation capped at a staggering 20 million Euros (or 4% of global group turnover, if higher) for a single breach, it is worth considering whether or not you are currently satisfied with your organisation's level of compliance? If not, urgent action is required if your organisation is to be ready for the much more demanding obligations which will be imposed under the Regulation. We can help you with that. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{735D0BBE-90A1-43D5-B7CD-52E173EE0BE8}https://www.shoosmiths.co.uk/client-resources/legal-updates/the-eu-us-privacy-shield-a-new-safe-harbor-10932.aspxThe EU-US Privacy Shield - a new safe harbor? The European Court of Justice ruled last October that the data sharing framework between the EU and US, referred to as Safe Harbor, is no longer valid. On 2 February 2016, the EU and US authorities agreed in principle on a 'new' arrangement, known as the 'EU-US Privacy Shield', which is intended to replace 'Safe Harbor'. But is the EU-US Privacy Shield really the solution which EU and US businesses have been waiting for? A not so 'safe' harbor Principle 8 of the Data Protection Act 1998 (the 'Act') requires that personal data must not be transferred outside the EEA without adequate protection for the rights and freedoms of individuals. The Safe Harbor scheme was designed to ensure that the transfer of EU citizens' data to the US (but not other non-EEA countries) was adequately protected in line with Principle 8. The Safe Harbor framework worked by allowing US companies to self-certify their adherence to a number of principles of compliance with EU data protection legislation. The scheme meant that information could be easily and routinely transferred to US companies who were Safe Harbor registered, without the need to put in place other methods to comply with Principle 8. In the wake of revelations of mass surveillance operations by the National Security Agency ('NSA'), Safe Harbor came under the microscope of the European Court of Justice who ruled the Safe Harbor framework to be invalid as it does not adequately protect the privacy rights of EU consumers. For more on the Safe Harbor decision click here. With many businesses previously using the Safe Harbor scheme to transfer data to the US across subsidiaries, to partner companies or as part of their IT infrastructure, businesses need to ensure that they are continuing to protect personal data relating to customers and employees when the data leaves the UK. The EU-US Privacy Shield Following the finding of invalidity, discussions between the EU and the US have been ongoing with a view to replacing the Safe Harbor scheme. On 2 February 2016, the EU-US Privacy Shield replacement was announced which hopes to produce a workable solution. The EU-US Privacy Shield aims to provide a more robust and transparent mechanism through which EU-US transfers of EU citizens' data can be protected. The new arrangement will create stronger obligations for US companies to protect personal data and greater enforcement measures by US authorities. This will include limiting intelligence agencies' access to personal data for law enforcement and national security purposes, only to the extent that such processing is 'necessary and proportionate'. European citizens will have increased rights of redress, with companies having deadlines to reply to complaints and the option to refer a dispute to a newly appointed Ombudsman. Furthermore, an annual joint review will closely monitor the implementation of the scheme. So what are the key messages to take away from this week's announcement? Firstly, there continues to be a lack of clear guidance as to how organisations should proceed in the interim until the EU-US Privacy Shield comes into force. The Article 29 Working Party, which comprises representatives from national data protection authorities and provides advice to the EU Commission on data protection matters, has stated that enforcement will likely be left to individual Member States' data protection authorities. The Information Commissioner's Office ('ICO'), the UK's data protection authority, has encouraged organisations to review their transfers to the US and consider alternatives, but has not been clear as to how heavy handed enforcement would be in the event that organisations fail to do so. Secondly, much like the now defunct Safe Harbor scheme before it, the longevity of the EU-US Privacy Shield is directly related to the security situation in the US and the extent to which lawmakers can prove EU citizens' data can be adequately protected under the new scheme. Can the EU-US Privacy Shield really rebuild the lost trust in the safe harbor scheme? A state of uncertainty For the time being, we continue to live in a state of uncertainty. The draft 'adequacy decision' still needs to be published (expected by the end of February) and the Article 29 Working Party will then need to consider whether its provisions are adequate and consult with Member States. The Article 29 Working Party has stated that it will assess the proposed EU-US Privacy Shield against 'four essential guarantees' to enable intelligence activities to take place: processing should be based on clear, precise and accessible rules; any processing should be necessary and proportionate with regards to any legitimate national security objectives; an independent body must provide effective oversight; and individuals must be provided with effective remedies before an independent body. The coming months with bring further details of how the EU-US Privacy Shield will function in practice. Of course, it is entirely possible that it may not get that far. The lack of legal certainty at present is concerning for many organisations. Helpfully, the Article 29 Working Party has confirmed that existing provisions such as model contract clauses and binding corporate rules (see below) will remain valid for now, but has also stated that as part of its review it will consider whether these provisions will remain valid following the introduction of the EU-US Privacy Shield. Ultimately, the success of the new scheme will be reliant both upon both approval from the Article 29 Working Party and widespread adoption from organisations in both the EU and US. Unless and until the EU-US Privacy Shield framework is finalised, businesses should consider alternative measures to protect themselves. In particular, we suggest that businesses should review the following: Does personal data really need to be shared with the US entity? Is there another method of achieving the same objective? Can the data be anonymised without losing its usefulness? If so, the Act will not apply (it only applies to data which can identify a living individual, either itself or in conjunction with other data in the organisations' possession). Effective anonymisation can be difficult to achieve in practice. Can model contract clauses be put in place? These clauses have been approved by the EU Commission as ensuring adequate protection for the rights of individuals and can be used for intra-group transfers or transfers to other businesses. If the transfer is intra-group, can you apply for approval for binding corporate rules? The application process can be cumbersome, but the result is better flexibility for companies with complex and ever-changing group structures. If businesses choose not to comply with the above, they can evaluate their compliance by way of 'self-assessed adequacy'. This involves consideration of a wide range of factors but is a risky option as it does not automatically mean compliance with Principle 8. The issue of transfers of personal data from the EU to the US continues to be in the spotlight. With a major shake-up of EU data protection legislation expected in 2018 which could see businesses facing fines of up to 4% of their global annual turnover for a breach, the change from Safe Harbor to the new EU-US Privacy Shield is the start of a greater transformation in the complex world of data protection compliance that businesses simply can't afford to ignore. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Fri, 05 Feb 2016 00:00:00 Z<![CDATA[Nicky Jenkins ]]><![CDATA[ The European Court of Justice ruled last October that the data sharing framework between the EU and US, referred to as Safe Harbor, is no longer valid. On 2 February 2016, the EU and US authorities agreed in principle on a 'new' arrangement, known as the 'EU-US Privacy Shield', which is intended to replace 'Safe Harbor'. But is the EU-US Privacy Shield really the solution which EU and US businesses have been waiting for? A not so 'safe' harbor Principle 8 of the Data Protection Act 1998 (the 'Act') requires that personal data must not be transferred outside the EEA without adequate protection for the rights and freedoms of individuals. The Safe Harbor scheme was designed to ensure that the transfer of EU citizens' data to the US (but not other non-EEA countries) was adequately protected in line with Principle 8. The Safe Harbor framework worked by allowing US companies to self-certify their adherence to a number of principles of compliance with EU data protection legislation. The scheme meant that information could be easily and routinely transferred to US companies who were Safe Harbor registered, without the need to put in place other methods to comply with Principle 8. In the wake of revelations of mass surveillance operations by the National Security Agency ('NSA'), Safe Harbor came under the microscope of the European Court of Justice who ruled the Safe Harbor framework to be invalid as it does not adequately protect the privacy rights of EU consumers. For more on the Safe Harbor decision click here. With many businesses previously using the Safe Harbor scheme to transfer data to the US across subsidiaries, to partner companies or as part of their IT infrastructure, businesses need to ensure that they are continuing to protect personal data relating to customers and employees when the data leaves the UK. The EU-US Privacy Shield Following the finding of invalidity, discussions between the EU and the US have been ongoing with a view to replacing the Safe Harbor scheme. On 2 February 2016, the EU-US Privacy Shield replacement was announced which hopes to produce a workable solution. The EU-US Privacy Shield aims to provide a more robust and transparent mechanism through which EU-US transfers of EU citizens' data can be protected. The new arrangement will create stronger obligations for US companies to protect personal data and greater enforcement measures by US authorities. This will include limiting intelligence agencies' access to personal data for law enforcement and national security purposes, only to the extent that such processing is 'necessary and proportionate'. European citizens will have increased rights of redress, with companies having deadlines to reply to complaints and the option to refer a dispute to a newly appointed Ombudsman. Furthermore, an annual joint review will closely monitor the implementation of the scheme. So what are the key messages to take away from this week's announcement? Firstly, there continues to be a lack of clear guidance as to how organisations should proceed in the interim until the EU-US Privacy Shield comes into force. The Article 29 Working Party, which comprises representatives from national data protection authorities and provides advice to the EU Commission on data protection matters, has stated that enforcement will likely be left to individual Member States' data protection authorities. The Information Commissioner's Office ('ICO'), the UK's data protection authority, has encouraged organisations to review their transfers to the US and consider alternatives, but has not been clear as to how heavy handed enforcement would be in the event that organisations fail to do so. Secondly, much like the now defunct Safe Harbor scheme before it, the longevity of the EU-US Privacy Shield is directly related to the security situation in the US and the extent to which lawmakers can prove EU citizens' data can be adequately protected under the new scheme. Can the EU-US Privacy Shield really rebuild the lost trust in the safe harbor scheme? A state of uncertainty For the time being, we continue to live in a state of uncertainty. The draft 'adequacy decision' still needs to be published (expected by the end of February) and the Article 29 Working Party will then need to consider whether its provisions are adequate and consult with Member States. The Article 29 Working Party has stated that it will assess the proposed EU-US Privacy Shield against 'four essential guarantees' to enable intelligence activities to take place: processing should be based on clear, precise and accessible rules; any processing should be necessary and proportionate with regards to any legitimate national security objectives; an independent body must provide effective oversight; and individuals must be provided with effective remedies before an independent body. The coming months with bring further details of how the EU-US Privacy Shield will function in practice. Of course, it is entirely possible that it may not get that far. The lack of legal certainty at present is concerning for many organisations. Helpfully, the Article 29 Working Party has confirmed that existing provisions such as model contract clauses and binding corporate rules (see below) will remain valid for now, but has also stated that as part of its review it will consider whether these provisions will remain valid following the introduction of the EU-US Privacy Shield. Ultimately, the success of the new scheme will be reliant both upon both approval from the Article 29 Working Party and widespread adoption from organisations in both the EU and US. Unless and until the EU-US Privacy Shield framework is finalised, businesses should consider alternative measures to protect themselves. In particular, we suggest that businesses should review the following: Does personal data really need to be shared with the US entity? Is there another method of achieving the same objective? Can the data be anonymised without losing its usefulness? If so, the Act will not apply (it only applies to data which can identify a living individual, either itself or in conjunction with other data in the organisations' possession). Effective anonymisation can be difficult to achieve in practice. Can model contract clauses be put in place? These clauses have been approved by the EU Commission as ensuring adequate protection for the rights of individuals and can be used for intra-group transfers or transfers to other businesses. If the transfer is intra-group, can you apply for approval for binding corporate rules? The application process can be cumbersome, but the result is better flexibility for companies with complex and ever-changing group structures. If businesses choose not to comply with the above, they can evaluate their compliance by way of 'self-assessed adequacy'. This involves consideration of a wide range of factors but is a risky option as it does not automatically mean compliance with Principle 8. The issue of transfers of personal data from the EU to the US continues to be in the spotlight. With a major shake-up of EU data protection legislation expected in 2018 which could see businesses facing fines of up to 4% of their global annual turnover for a breach, the change from Safe Harbor to the new EU-US Privacy Shield is the start of a greater transformation in the complex world of data protection compliance that businesses simply can't afford to ignore. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{3432BA8E-4C20-4406-8C48-ABF715BA935F}https://www.shoosmiths.co.uk/client-resources/legal-updates/monitoring-employees-communications-eu-case-10889.aspxMonitoring employees&#39; communications: EU case sends wrong message Employers should be cautious after a recent decision was widely reported as a 'green light' to read employees' person communications at work; this is not the case. Background The European Court of Human Rights (ECtHR) recently ruled on the right to privacy at work in the case of Barbulescu v Romania. The case received considerable media coverage and involved an employee who was dismissed for using his employer's internet for personal purposes during working hours. The Claimant was an engineer who sent private messages to his family using his business Yahoo Messenger account on his employer's equipment. Acting upon a suspicion, the employer took action and during the disciplinary process, it reviewed the usage of the Claimant's Yahoo Messenger correspondence for a number of days collating a 45 page transcript. It discovered that the Claimant, despite his denials, had been using the account to contact his girlfriend and brother during working hours. Some of the messages reviewed referred to the Claimant's health and sex life (both amounting to sensitive personal data). The Claimant was dismissed and brought proceedings against his employer in Romania; he then took his case to the ECtHR, arguing that his dismissal was based on a violation of his right to privacy. The Court considered the extent to which the Claimant's employer was legally entitled to read his private messages before breaching his right to respect for private and family life, home and correspondence (enshrined in Article 8 of the European Convention on Human Rights). Although deciding that Article 8 was relevant, the ECtHR ruled, by a majority, that the monitoring of the Claimant's messenger usage and the reliance on the private messages in the disciplinary process and the later Court proceedings in Romania was acceptable. Ultimately it was held to be a 'proportionate interference' with the Claimant's rights under Article 8. The Court held that the monitoring of the communications was both pursuant to the employer's existing rules and policies and proportionate in the context of the disciplinary proceedings. Media commentary on the decision suggested the ECtHR's ruling was an infringement of basic civil liberties and Article 8 rights. The impression has been given that the case means employers can freely monitor their employees' personal communications but, this is misleading and the case is not necessarily as significant as it has been portrayed. Not a new concept Unusually the employer had a blanket ban on sending personal messages whilst at work and the employee was aware of this and had been given prior warning that his employer could check his messages. He had also been instructed by his employer to set up the Yahoo Messenger account solely to answer client queries; this was then accessed on 'the assumption that the information in question had been related to professional activities'. The employer also owned the device which was used and the monitoring was in accordance with their policies. The ECtHR held it was, 'not unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours'. The ruling is, in reality, reemphasising the current position and follows the previous stance of the ECtHR on employees' expectation of privacy at work. The decision does not override the position under the Data Protection Act 1998 (DPA) or the Regulation of Investigatory Powers Act 2000 in the UK which impose significant limitations on the ability of employers to carry out monitoring of their employees both on and offline. The current position The DPA does not prohibit employers from monitoring their employees as long as personal data is 'fairly and lawfully processed for specified purposes'. Employers are able to monitor communications where this is objectively justified and strikes a fair balance between individuals' rights and the interests of employers. What does that mean? Generally, that employers have a good business reason for the monitoring, for example, to check the quality and quantity of work or to fulfil a legal obligation and that employees are aware of the nature, extent and reasons for the monitoring being carried out. This could be achieved by setting out the information in a workplace policy and making sure this is brought to the individual's attention for example, in an induction or training session. Individuals may have a legitimate expectation of privacy even where they are sending and receiving communications at work and on their employer's equipment. Interference with that privacy must therefore be for a good reason and done in a reasonable and proportionate way. The Information Commissioner's Office (ICO) has issued good practice guidance in relation to employee monitoring. In particular, the ICO suggests that businesses conduct a privacy impact assessment to determine whether or not employee monitoring is justified and proportionate. This will involve: identifying the purpose(s) for the monitoring, identifying the benefits it is likely to deliver, identifying any adverse impact on employees (or others) of the monitoring, considering what if any alternative arrangements could be put in place, taking into account the obligations which arise from monitoring (i.e. ensuring any data gathered is processed in accordance with the DPA) and, taking the above into account, accessing whether monitoring can be justified? Considerations for employers: Where employees are expected to work long hours a blanket ban on personal internet usage at work is unlikely to be practical (or popular) particularly in office based roles. Employers should have a clear policy that sets out what is and is not acceptable together with details of what access the employer will have to communications in the workplace and on company devices. Such policies should be brought to the attention of employees. Where appropriate, express consent to monitoring should be sought from employees A balance must be struck which allows employees to manage their work and home lives concurrently but within reason. Employers should recognise that policies and procedures should allow for a reasonable amount of flexibility but when necessary be enforced fairly and consistently Employers should take steps to ensure that any policies or procedures governing monitoring are reasonable and justified by a legitimate aim and supported with companywide compliance with the DPA. To be compliant employees should be made aware of the nature, extent and reasons for the monitoring being carried out and how their personal data will be processed. Should you require any further information or advice on the monitoring of electronic communications, please email Pamela Morris (Employment and Data Protection) on pamela.morris@shoosmiths.co.uk or Joanna Davis (Commercial and Data Protection) on joanna.davis@shoosmiths.co.uk. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Thu, 28 Jan 2016 00:00:00 Z<![CDATA[Stuart Lawrenson ]]><![CDATA[ Employers should be cautious after a recent decision was widely reported as a 'green light' to read employees' person communications at work; this is not the case. Background The European Court of Human Rights (ECtHR) recently ruled on the right to privacy at work in the case of Barbulescu v Romania. The case received considerable media coverage and involved an employee who was dismissed for using his employer's internet for personal purposes during working hours. The Claimant was an engineer who sent private messages to his family using his business Yahoo Messenger account on his employer's equipment. Acting upon a suspicion, the employer took action and during the disciplinary process, it reviewed the usage of the Claimant's Yahoo Messenger correspondence for a number of days collating a 45 page transcript. It discovered that the Claimant, despite his denials, had been using the account to contact his girlfriend and brother during working hours. Some of the messages reviewed referred to the Claimant's health and sex life (both amounting to sensitive personal data). The Claimant was dismissed and brought proceedings against his employer in Romania; he then took his case to the ECtHR, arguing that his dismissal was based on a violation of his right to privacy. The Court considered the extent to which the Claimant's employer was legally entitled to read his private messages before breaching his right to respect for private and family life, home and correspondence (enshrined in Article 8 of the European Convention on Human Rights). Although deciding that Article 8 was relevant, the ECtHR ruled, by a majority, that the monitoring of the Claimant's messenger usage and the reliance on the private messages in the disciplinary process and the later Court proceedings in Romania was acceptable. Ultimately it was held to be a 'proportionate interference' with the Claimant's rights under Article 8. The Court held that the monitoring of the communications was both pursuant to the employer's existing rules and policies and proportionate in the context of the disciplinary proceedings. Media commentary on the decision suggested the ECtHR's ruling was an infringement of basic civil liberties and Article 8 rights. The impression has been given that the case means employers can freely monitor their employees' personal communications but, this is misleading and the case is not necessarily as significant as it has been portrayed. Not a new concept Unusually the employer had a blanket ban on sending personal messages whilst at work and the employee was aware of this and had been given prior warning that his employer could check his messages. He had also been instructed by his employer to set up the Yahoo Messenger account solely to answer client queries; this was then accessed on 'the assumption that the information in question had been related to professional activities'. The employer also owned the device which was used and the monitoring was in accordance with their policies. The ECtHR held it was, 'not unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours'. The ruling is, in reality, reemphasising the current position and follows the previous stance of the ECtHR on employees' expectation of privacy at work. The decision does not override the position under the Data Protection Act 1998 (DPA) or the Regulation of Investigatory Powers Act 2000 in the UK which impose significant limitations on the ability of employers to carry out monitoring of their employees both on and offline. The current position The DPA does not prohibit employers from monitoring their employees as long as personal data is 'fairly and lawfully processed for specified purposes'. Employers are able to monitor communications where this is objectively justified and strikes a fair balance between individuals' rights and the interests of employers. What does that mean? Generally, that employers have a good business reason for the monitoring, for example, to check the quality and quantity of work or to fulfil a legal obligation and that employees are aware of the nature, extent and reasons for the monitoring being carried out. This could be achieved by setting out the information in a workplace policy and making sure this is brought to the individual's attention for example, in an induction or training session. Individuals may have a legitimate expectation of privacy even where they are sending and receiving communications at work and on their employer's equipment. Interference with that privacy must therefore be for a good reason and done in a reasonable and proportionate way. The Information Commissioner's Office (ICO) has issued good practice guidance in relation to employee monitoring. In particular, the ICO suggests that businesses conduct a privacy impact assessment to determine whether or not employee monitoring is justified and proportionate. This will involve: identifying the purpose(s) for the monitoring, identifying the benefits it is likely to deliver, identifying any adverse impact on employees (or others) of the monitoring, considering what if any alternative arrangements could be put in place, taking into account the obligations which arise from monitoring (i.e. ensuring any data gathered is processed in accordance with the DPA) and, taking the above into account, accessing whether monitoring can be justified? Considerations for employers: Where employees are expected to work long hours a blanket ban on personal internet usage at work is unlikely to be practical (or popular) particularly in office based roles. Employers should have a clear policy that sets out what is and is not acceptable together with details of what access the employer will have to communications in the workplace and on company devices. Such policies should be brought to the attention of employees. Where appropriate, express consent to monitoring should be sought from employees A balance must be struck which allows employees to manage their work and home lives concurrently but within reason. Employers should recognise that policies and procedures should allow for a reasonable amount of flexibility but when necessary be enforced fairly and consistently Employers should take steps to ensure that any policies or procedures governing monitoring are reasonable and justified by a legitimate aim and supported with companywide compliance with the DPA. To be compliant employees should be made aware of the nature, extent and reasons for the monitoring being carried out and how their personal data will be processed. Should you require any further information or advice on the monitoring of electronic communications, please email Pamela Morris (Employment and Data Protection) on pamela.morris@shoosmiths.co.uk or Joanna Davis (Commercial and Data Protection) on joanna.davis@shoosmiths.co.uk. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{ADE145B9-0E28-4D55-B428-577A02CA0720}https://www.shoosmiths.co.uk/services/data-protection-96.aspxPrivacy &amp; data /* use [h]text[/h] to hightlight word [nl] for new line */ var carousel_data = [ // img: "PATH TO BACKGROUND IMG", title: "Title [h]hightline[/h] [nl]new line [h]highlight[/h]", sig: "button right sig", LinkText: 'This is a link (OPTIONAL)', Link: '#test (OPTIONAL)', textPos: "right/left (OPTIONAL)", color:"white-text (OPTIONAL)" { img: "/images/double_width_images/triangles_doublewidth.jpg", title: "[h]Protecting[/h] your digital assets", alt: "", textPos: "right", color:"white-text" } ]; $(function () { $.each(carousel_data, function (i, item) { if (i > 0) { item.printClass = "no-print"; } item.title = item.title.replace(/\[h\]/g, '<span>'); item.title = item.title.replace(/\[\/h\]/g, '</span>'); item.title = item.title.replace(/\[nl\]/g, '<br>'); }); $(".js-carousel-large .items").html($("#carousel-simple-template").render(carousel_data)); $('.text-float h2').html(carousel_data[0].title); if (carousel_data[0].sig) { $('.ui-carousel-sig').html(carousel_data[0].sig); }else{ $('.ui-carousel-sig').hide(); } if (carousel_data[0].subHeading) { $('.ui-carousel-subheading').html(carousel_data[0].subHeading); } $('.text-float').attr("class", "text-float"); if (carousel_data[0].color) { $('.text-float').addClass(carousel_data[0].color); } $('.text-float').addClass(carousel_data[0].textPos); if (carousel_data[0].Link) { $('.ui-carousel-link').addClass("ui-carousel-sig-button").html('<a class="ui-button ui-button-white ui-button-arrow-lr" href="' + carousel_data[0].Link + '" title="' + carousel_data[0].LinkText + '"><span class="ui-button-icon"></span>' + carousel_data[0].LinkText + '</a>'); } else { $('.ui-carousel-link').empty().removeClass("ui-carousel-sig-button"); } /* if there is more than one item then load in the scrollable carousel */ if ($(".js-carousel-large .items .item").length > 1) { $(".js-carousel-large").scrollable({ circular: true, onBeforeSeek: function () { $('.ui-carousel-sig, .ui-carousel-link, .text-float, .ui-carousel-subheading').hide(); }, onSeek: function (item, number) { $('.text-float').fadeTo(300, 1); ind = this.getIndex(); $('.text-float').attr("class", "text-float"); $('.text-float').addClass(carousel_data[ind].textPos); if (carousel_data[ind].color) { $('.text-float').addClass(carousel_data[ind].color); } $('.text-float h2').html(carousel_data[ind].title); if (carousel_data[ind].Link) { $('.ui-carousel-link').show().addClass("ui-carousel-sig-button").html('<a class="ui-button ui-button-white ui-button-arrow-lr" href="' + carousel_data[ind].Link + '" title="' + carousel_data[0].LinkText + '"><span class="ui-button-icon"></span>' + carousel_data[ind].LinkText + '</a>'); } else { $('.ui-carousel-link').removeClass("ui-carousel-sig-button").empty(); } if (carousel_data[ind].subHeading) { $('.ui-carousel-subheading').text(carousel_data[ind].subHeading).show(); } else { $('.ui-carousel-subheading').empty().hide(); } if (carousel_data[ind].sig) { $('.ui-carousel-sig').text(carousel_data[ind].sig).show(); } else { $('.ui-carousel-sig').hide(); } } }).autoscroll({ interval: 6000 }).navigator(); } }); <div class="item {{:printClass}}"> <div class="image"><img src="{{:img}}" alt="{{:alt}}"></div> </div> <!-- "previous page" action --> <!-- injected IF ONLY ONE ITEM THEN IT DOES NOT ROTATE OR SHOW NAV--> <!-- end .navigation --> <!-- end .carousel --> Data protection overview Excellent service and legal advice from a team specialising in data protection law delivering an amazing client experience for companies in the UK. In recent years data protection compliance has become increasingly important for businesses. There are two main reasons for this. First, customer data has become a highly valuable business asset, with many organisations relying heavily on their ability to collect and process personal data in order to operate their businesses. Second, individuals are becoming more and more aware of their rights in relation to the protection of their personal information, so businesses must get it right if they want to gain customer trust and confidence. With current proposals to reform data protection regulation across Europe, it is likely that data protection compliance and regulation is going to become increasingly important for businesses. Shoosmiths' data protection team has a wealth of experience advising clients on data protection compliance issues and broader privacy laws concerning: marketing within the law use of CCTV employee monitoring the sale and purchase of customer databases The Freedom of Information Act We recognise that data protection and privacy affects many aspects of a business, so we work closely with clients to help them achieve compliance whilst not compromising on their overall objectives. For further information about specific data protection advice we have provided recently, have a look at the services our team offer which include: Data protection advice EU &amp; cookie legislation Subject access requests <!-- .ui-article --> Key contacts View all Data protection contacts Anastasia Fowle Partner T 03700 86 8314 Email me <!-- .ui-contacts-details --> Nicky Jenkins Senior Associate M 07540158134 T 03700 86 4071 Email me <!-- .ui-contacts-details --> Data protection overview Excellent service and legal advice from a team specialising in data protection law delivering an amazing client experience for companies in the UK. In recent years data protection compliance has become increasingly important for businesses. There are two main reasons for this. First, customer data has become a highly valuable business asset, with many organisations relying heavily on their ability to collect and process personal data in order to operate their businesses. Second, individuals are becoming more and more aware of their rights in relation to the protection of their personal information, so businesses must get it right if they want to gain customer trust and confidence. With current proposals to reform data protection regulation across Europe, it is likely that data protection compliance and regulation is going to become increasingly important for businesses. Shoosmiths' data protection team has a wealth of experience advising clients on data protection compliance issues and broader privacy laws concerning: marketing within the law use of CCTV employee monitoring the sale and purchase of customer databases The Freedom of Information Act We recognise that data protection and privacy affects many aspects of a business, so we work closely with clients to help them achieve compliance whilst not compromising on their overall objectives. For further information about specific data protection advice we have provided recently, have a look at the services our team offer which include: Data protection advice EU &amp; cookie legislation Subject access requestsWed, 07 Oct 2015 00:00:00 +0100<![CDATA[Anastasia Fowle Nicky Jenkins ]]><![CDATA[ /* use [h]text[/h] to hightlight word [nl] for new line */ var carousel_data = [ // img: "PATH TO BACKGROUND IMG", title: "Title [h]hightline[/h] [nl]new line [h]highlight[/h]", sig: "button right sig", LinkText: 'This is a link (OPTIONAL)', Link: '#test (OPTIONAL)', textPos: "right/left (OPTIONAL)", color:"white-text (OPTIONAL)" { img: "/images/double_width_images/triangles_doublewidth.jpg", title: "[h]Protecting[/h] your digital assets", alt: "", textPos: "right", color:"white-text" } ]; $(function () { $.each(carousel_data, function (i, item) { if (i > 0) { item.printClass = "no-print"; } item.title = item.title.replace(/\[h\]/g, '<span>'); item.title = item.title.replace(/\[\/h\]/g, '</span>'); item.title = item.title.replace(/\[nl\]/g, '<br />'); }); $(".js-carousel-large .items").html($("#carousel-simple-template").render(carousel_data)); $('.text-float h2').html(carousel_data[0].title); if (carousel_data[0].sig) { $('.ui-carousel-sig').html(carousel_data[0].sig); }else{ $('.ui-carousel-sig').hide(); } if (carousel_data[0].subHeading) { $('.ui-carousel-subheading').html(carousel_data[0].subHeading); } $('.text-float').attr("class", "text-float"); if (carousel_data[0].color) { $('.text-float').addClass(carousel_data[0].color); } $('.text-float').addClass(carousel_data[0].textPos); if (carousel_data[0].Link) { $('.ui-carousel-link').addClass("ui-carousel-sig-button").html('<a class="ui-button ui-button-white ui-button-arrow-lr" href="' + carousel_data[0].Link + '" title="' + carousel_data[0].LinkText + '"><span class="ui-button-icon"></span>' + carousel_data[0].LinkText + '</a>'); } else { $('.ui-carousel-link').empty().removeClass("ui-carousel-sig-button"); } /* if there is more than one item then load in the scrollable carousel */ if ($(".js-carousel-large .items .item").length > 1) { $(".js-carousel-large").scrollable({ circular: true, onBeforeSeek: function () { $('.ui-carousel-sig, .ui-carousel-link, .text-float, .ui-carousel-subheading').hide(); }, onSeek: function (item, number) { $('.text-float').fadeTo(300, 1); ind = this.getIndex(); $('.text-float').attr("class", "text-float"); $('.text-float').addClass(carousel_data[ind].textPos); if (carousel_data[ind].color) { $('.text-float').addClass(carousel_data[ind].color); } $('.text-float h2').html(carousel_data[ind].title); if (carousel_data[ind].Link) { $('.ui-carousel-link').show().addClass("ui-carousel-sig-button").html('<a class="ui-button ui-button-white ui-button-arrow-lr" href="' + carousel_data[ind].Link + '" title="' + carousel_data[0].LinkText + '"><span class="ui-button-icon"></span>' + carousel_data[ind].LinkText + '</a>'); } else { $('.ui-carousel-link').removeClass("ui-carousel-sig-button").empty(); } if (carousel_data[ind].subHeading) { $('.ui-carousel-subheading').text(carousel_data[ind].subHeading).show(); } else { $('.ui-carousel-subheading').empty().hide(); } if (carousel_data[ind].sig) { $('.ui-carousel-sig').text(carousel_data[ind].sig).show(); } else { $('.ui-carousel-sig').hide(); } } }).autoscroll({ interval: 6000 }).navigator(); } }); <div class="item {{:printClass}}" > <div class="image"><img src="{{:img}}" alt="{{:alt}}"/></div> </div> <!-- "previous page" action --> <!-- injected IF ONLY ONE ITEM THEN IT DOES NOT ROTATE OR SHOW NAV--> <!-- end .navigation --> <!-- end .carousel --> Data protection overview Excellent service and legal advice from a team specialising in data protection law delivering an amazing client experience for companies in the UK. In recent years data protection compliance has become increasingly important for businesses. There are two main reasons for this. First, customer data has become a highly valuable business asset, with many organisations relying heavily on their ability to collect and process personal data in order to operate their businesses. Second, individuals are becoming more and more aware of their rights in relation to the protection of their personal information, so businesses must get it right if they want to gain customer trust and confidence. With current proposals to reform data protection regulation across Europe, it is likely that data protection compliance and regulation is going to become increasingly important for businesses. Shoosmiths' data protection team has a wealth of experience advising clients on data protection compliance issues and broader privacy laws concerning: marketing within the law use of CCTV employee monitoring the sale and purchase of customer databases The Freedom of Information Act We recognise that data protection and privacy affects many aspects of a business, so we work closely with clients to help them achieve compliance whilst not compromising on their overall objectives. For further information about specific data protection advice we have provided recently, have a look at the services our team offer which include: Data protection advice EU &amp; cookie legislation Subject access requests <!-- .ui-article --> Key contacts View all Data protection contacts Anastasia Fowle Partner T 03700 86 8314 Email me <!-- .ui-contacts-details --> Nicky Jenkins Senior Associate M 07540158134 T 03700 86 4071 Email me <!-- .ui-contacts-details --> Data protection overview Excellent service and legal advice from a team specialising in data protection law delivering an amazing client experience for companies in the UK. In recent years data protection compliance has become increasingly important for businesses. There are two main reasons for this. First, customer data has become a highly valuable business asset, with many organisations relying heavily on their ability to collect and process personal data in order to operate their businesses. Second, individuals are becoming more and more aware of their rights in relation to the protection of their personal information, so businesses must get it right if they want to gain customer trust and confidence. With current proposals to reform data protection regulation across Europe, it is likely that data protection compliance and regulation is going to become increasingly important for businesses. Shoosmiths' data protection team has a wealth of experience advising clients on data protection compliance issues and broader privacy laws concerning: marketing within the law use of CCTV employee monitoring the sale and purchase of customer databases The Freedom of Information Act We recognise that data protection and privacy affects many aspects of a business, so we work closely with clients to help them achieve compliance whilst not compromising on their overall objectives. For further information about specific data protection advice we have provided recently, have a look at the services our team offer which include: Data protection advice EU &amp; cookie legislation Subject access requests]]>{4DE1E75E-3F72-40D1-9EB4-3FC7069B2A0E}https://www.shoosmiths.co.uk/client-resources/legal-updates/european-copyright-law-four-megatrends-10175.aspxEuropean Copyright Law - four megatrends With concrete proposals for amendments to European copyright law not due until this autumn, now is a good time to take stock. Below we take a look at four 'megatrends' in European copyright law, which together with the related issues of privacy, data protection and competition law, will dominate the regulatory agenda and discourse over the next three years. Trend 1: Territoriality in copyright - principle survives but cross-border restrictions won't While the inherently territorial nature of copyright will survive, so that rights owners will continue to be able to exploit works on a national or regional basis, territorial restrictions like geo-blocking (both refusal to supply and automatic re-routing and geo-filtering based on a consumer's location) and restrictions on cross border access will be under increasing regulatory pressure within the EU and probably more broadly. The focus is likely to be on restrictions against cross border audio-visual digital content; but the issue of device portability may be relevant too. Trend 2: The rising clamour for free access With differing motivations, needs and demands, there are many voices within educational institutions, the research community, online intermediaries and consumer groups, all pressing for free(er) access. In terms of the copyright agenda, this will focus on the area of copyright exceptions. There is pressure to broaden certain existing exceptions for libraries and educational institutions; to introduce further exceptions, such as for text and data mining (this currently only exists in the UK) and to enable remote e-lending of e-books by libraries; to harmonise national exceptions and then, finally, to make them all mandatory. It's a big wish list. An exception to allow remote-lending by libraries would be strongly opposed by authors and publishers for obvious reasons, who would insist either on its inclusion in a public lending scheme or via direct licensing. It is hard to see how any such exceptions could meet the three criteria in the 'Berne 3-step test'. In contrast, there is likely to be more scope for consensus around the issue of harmonisation of exceptions. Publishers leading this debate see new and innovative licensing solutions as the answer to many if not all of these demands. Trend 3: E-commerce in digital content - the growing divergence between the treatment in law of copyright goods vs. services There is an emerging classification and distinction in EU law between digital content as goods, services or as a hybrid. For example, the Consumer Rights Directive (now in UK law) treats copyright content supplied on fixed media as a sale of goods; the same Directive treats contracts for digital content supplied by download, streaming etc. neither as goods nor services but as something in between, but nonetheless with consumer protections such as cancellation. This treatment of digital content as a supply of goods as against the provision of a service has significant implications for value added tax and author royalties under publisher contracts. It is also at the heart of the debate around whether the supply of digital content on 'sale like' terms 'exhausts' rights holders' rights to control subsequent redistribution. This is therefore a hot issue. Trend 4: Continuing tensions between online platforms and rights holders The Commission has acknowledged a sense of unfairness amongst rights holders in their relations with Internet platforms and a lack of level playing field. So in that context, it is interesting to note that in the latest instalment of the publishers/Amazon e-book distribution saga, the European Commission has opened an investigation into Amazon's e-book distribution arrangements. Under scrutiny are the 'most favoured nation' clauses that Amazon has in its supply contracts with publishers, under which those publishers are obliged to inform Amazon if they offer other distributors better terms than those offered to Amazon and/or to offer Amazon those better terms. Sarah Livestro, senior associate working in Shoosmiths' competition team, notes that this is interesting because 'most favoured nation' clauses aren't hard core restrictions of competition and wouldn't generally be an area of focus for competition authorities. She adds that the Commission is taking an interest because of Amazon's strong market position - the basis of the objection is (in part) abuse of dominance. So, it's important to note that, although MFN clauses will often be low risk or block exempted under the competition law rules, where a distributor has a significant market share these clauses may be problematic and a competition authority may investigate. Whatever else, we can be assured of a busy autumn on the regulatory front. Thu, 16 Jul 2015 00:00:00 +0100<![CDATA[Craig Armstrong ]]><![CDATA[ With concrete proposals for amendments to European copyright law not due until this autumn, now is a good time to take stock. Below we take a look at four 'megatrends' in European copyright law, which together with the related issues of privacy, data protection and competition law, will dominate the regulatory agenda and discourse over the next three years. Trend 1: Territoriality in copyright - principle survives but cross-border restrictions won't While the inherently territorial nature of copyright will survive, so that rights owners will continue to be able to exploit works on a national or regional basis, territorial restrictions like geo-blocking (both refusal to supply and automatic re-routing and geo-filtering based on a consumer's location) and restrictions on cross border access will be under increasing regulatory pressure within the EU and probably more broadly. The focus is likely to be on restrictions against cross border audio-visual digital content; but the issue of device portability may be relevant too. Trend 2: The rising clamour for free access With differing motivations, needs and demands, there are many voices within educational institutions, the research community, online intermediaries and consumer groups, all pressing for free(er) access. In terms of the copyright agenda, this will focus on the area of copyright exceptions. There is pressure to broaden certain existing exceptions for libraries and educational institutions; to introduce further exceptions, such as for text and data mining (this currently only exists in the UK) and to enable remote e-lending of e-books by libraries; to harmonise national exceptions and then, finally, to make them all mandatory. It's a big wish list. An exception to allow remote-lending by libraries would be strongly opposed by authors and publishers for obvious reasons, who would insist either on its inclusion in a public lending scheme or via direct licensing. It is hard to see how any such exceptions could meet the three criteria in the 'Berne 3-step test'. In contrast, there is likely to be more scope for consensus around the issue of harmonisation of exceptions. Publishers leading this debate see new and innovative licensing solutions as the answer to many if not all of these demands. Trend 3: E-commerce in digital content - the growing divergence between the treatment in law of copyright goods vs. services There is an emerging classification and distinction in EU law between digital content as goods, services or as a hybrid. For example, the Consumer Rights Directive (now in UK law) treats copyright content supplied on fixed media as a sale of goods; the same Directive treats contracts for digital content supplied by download, streaming etc. neither as goods nor services but as something in between, but nonetheless with consumer protections such as cancellation. This treatment of digital content as a supply of goods as against the provision of a service has significant implications for value added tax and author royalties under publisher contracts. It is also at the heart of the debate around whether the supply of digital content on 'sale like' terms 'exhausts' rights holders' rights to control subsequent redistribution. This is therefore a hot issue. Trend 4: Continuing tensions between online platforms and rights holders The Commission has acknowledged a sense of unfairness amongst rights holders in their relations with Internet platforms and a lack of level playing field. So in that context, it is interesting to note that in the latest instalment of the publishers/Amazon e-book distribution saga, the European Commission has opened an investigation into Amazon's e-book distribution arrangements. Under scrutiny are the 'most favoured nation' clauses that Amazon has in its supply contracts with publishers, under which those publishers are obliged to inform Amazon if they offer other distributors better terms than those offered to Amazon and/or to offer Amazon those better terms. Sarah Livestro, senior associate working in Shoosmiths' competition team, notes that this is interesting because 'most favoured nation' clauses aren't hard core restrictions of competition and wouldn't generally be an area of focus for competition authorities. She adds that the Commission is taking an interest because of Amazon's strong market position - the basis of the objection is (in part) abuse of dominance. So, it's important to note that, although MFN clauses will often be low risk or block exempted under the competition law rules, where a distributor has a significant market share these clauses may be problematic and a competition authority may investigate. Whatever else, we can be assured of a busy autumn on the regulatory front. ]]>{7B0CA0A4-F39E-4655-8365-393DE0E21162}https://www.shoosmiths.co.uk/client-resources/legal-updates/new-audit-powers-for-the-ico-9874.aspxNew audit powers for the ICO As of 1 February, the Information Commissioner's Office (ICO) can force public healthcare organisations to undergo compulsory audits of their Data Protection Act 1998 compliance, a power that previously only applied to central government departments. Why has this come about? Healthcare organisations collect and handle significant amounts of sensitive personal data relating to their patients. In recent years they have been the subject of some high profile serious data protection breaches. These breaches have not only led to NHS Trusts being hit with substantial fines (totalling £1.3million) but have also resulted in affected individuals suffering significant distress. As with all breaches, the ICO investigated the incidents suffered within the NHS and, in many instances their investigations revealed that the breaches had arisen as a result of systematic failings in relation to how NHS organisations collect and handle personal data. The ICO has welcomed these new powers which they consider will give the ICO the 'chance to act before a breach happens.' What do the new powers mean? These powers will give the ICO the power to enter organisations operating in the public health sector and to carry out an audit of their practices in order to evaluate their current levels of compliance with the Data Protection Act 1998. The audit process will review, amongst other things, how the NHS handles personal data relating to its patients. In particular, it will look at issues such as data security, records management, staff training and data sharing. Christopher Graham, the Information Commissioner, said: 'Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn't good enough.' It is apparent therefore that the ICO is not prepared to tolerate lax data protection compliance by public healthcare organisations going forward. What can you do? If you are an NHS Foundation Trust, GP Surgery, NHS Trust or community healthcare council (or equivalent in Scotland, Wales or Northern Ireland), this could apply to you. Steps can be taken now to help ensure that your organisation does not become the subject of a forced audit and is not held out as an example by the ICO. The most effective way of mitigating these risks is to carry out an audit now. This will enable you to get a better understanding of current levels of compliance with your organisation and, in particular, to identify areas of non-compliance which need to be addressed. If your organisation is not itself caught by these powers but provides services to organisations which are, you may still be affected as such organisations are now likely to demand much more from their service providers. For further information in relation to how Shoosmiths' Data Protection Team can help you with this process, please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Thu, 04 Jun 2015 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ As of 1 February, the Information Commissioner's Office (ICO) can force public healthcare organisations to undergo compulsory audits of their Data Protection Act 1998 compliance, a power that previously only applied to central government departments. Why has this come about? Healthcare organisations collect and handle significant amounts of sensitive personal data relating to their patients. In recent years they have been the subject of some high profile serious data protection breaches. These breaches have not only led to NHS Trusts being hit with substantial fines (totalling £1.3million) but have also resulted in affected individuals suffering significant distress. As with all breaches, the ICO investigated the incidents suffered within the NHS and, in many instances their investigations revealed that the breaches had arisen as a result of systematic failings in relation to how NHS organisations collect and handle personal data. The ICO has welcomed these new powers which they consider will give the ICO the 'chance to act before a breach happens.' What do the new powers mean? These powers will give the ICO the power to enter organisations operating in the public health sector and to carry out an audit of their practices in order to evaluate their current levels of compliance with the Data Protection Act 1998. The audit process will review, amongst other things, how the NHS handles personal data relating to its patients. In particular, it will look at issues such as data security, records management, staff training and data sharing. Christopher Graham, the Information Commissioner, said: 'Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn't good enough.' It is apparent therefore that the ICO is not prepared to tolerate lax data protection compliance by public healthcare organisations going forward. What can you do? If you are an NHS Foundation Trust, GP Surgery, NHS Trust or community healthcare council (or equivalent in Scotland, Wales or Northern Ireland), this could apply to you. Steps can be taken now to help ensure that your organisation does not become the subject of a forced audit and is not held out as an example by the ICO. The most effective way of mitigating these risks is to carry out an audit now. This will enable you to get a better understanding of current levels of compliance with your organisation and, in particular, to identify areas of non-compliance which need to be addressed. If your organisation is not itself caught by these powers but provides services to organisations which are, you may still be affected as such organisations are now likely to demand much more from their service providers. For further information in relation to how Shoosmiths' Data Protection Team can help you with this process, please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{BC93232A-6228-4B76-8313-DFCAAF91A2DF}https://www.shoosmiths.co.uk/client-resources/legal-updates/google-v-vidal-hall-how-cookie-crumbled-court-appeal-9644.aspxGoogle v Vidal-Hall: how the cookie crumbled in the Court of Appeal... Last month saw the Court of Appeal upholding the judgment of the High Court that 3 claimants resident in England could bring claims in England against US-based Google Inc for misuse of private information and breach of the Data Protection Act 1998 (DPA). This landmark judgment clarifies the law on misuse of private information and also potentially paves the way for compensation claims from individuals under the DPA in relation to data collected by third party cookies. Background The claimants are based in England and were users of the Safari web browser on Apple computers. In essence, the claimants' complaint was that Google had caused them distress and anxiety by enabling advertisers (through the installation of third party cookies) to send them targeted adverts (some of which related to sensitive personal data) which might have been viewed by third parties who had used or seen their Apple devices. The cookies in question secretly tracked online behaviour and stored private information known as Browser Generated Information, or BGI. Google's double-click service then allowed subscribing advertisers to collect BGI and send targeted advertising. Safari blocks third-party cookies by default and Google's publicly stated position was that third party cookies could not be enabled without Safari users' consent. The claimants therefore assumed that when they used Safari, there were no third party cookies storing private information and that there was no risk of targeted adverts relating to their private information being sent. Misuse of Private Information These proceedings arose because of the need for permission to serve on Google out of the jurisdiction. To obtain that permission, the claimants had to establish (amongst other things) that there was a good arguable case that their claim was made in tort (not in the equitable doctrine of breach of confidence) and that the damage was sustained within the jurisdiction. Since the coming into force of the Human Rights Act in 1988, the courts have grappled with the concept of introducing a law of privacy in this country. Previously, attempts have been made to categorise privacy claims as a species of breach of confidence claim rather than a standalone tort. In this judgment, however, following substantial legal argument spanning several years the Court of Appeal has finally confirmed that there is a tort of misuse of private information. Whilst this decision had been presaged in earlier case law, there remained a lingering doubt about the status of this cause of action which has now, finally, been laid to rest. Data Protection Act 1988 (DPA) Section 13 of the DPA gives individuals the right to claim compensation for damages arising out of a breach of the DPA. However, section 13(2) of the DPA goes on to say that damages may also be recovered for distress in limited circumstances including where the individual also suffers 'damage' by reason of the contravention. This distinction between damage a distress does not appear in the Data Protection Directive from which the DPA is derived and has been the subject of much debate and case law in which section 13 has, historically, been interpreted as meaning that compensation could only be claimed for distress where financial loss had also been suffered. As a result, very few compensation claims were brought under section 13 of the DPA because the majority of breaches of the DPA lead to distress and not necessarily financial loss. The application of section 13(2) therefore served as a barrier preventing individuals from bringing claims The Court of Appeal's judgment in this case has significantly changed the application and interpretation of section 13 of the DPA by recognising that the aim of the Data Protection Directive is not to protect economic rights and the fact that it has been interpreted as such has meant that many individuals have been unable to gain redress in circumstances where their rights to privacy have been breached. As a result of this ruling, it has now been established that a claimant does not have to prove pecuniary damage to successfully bring a claim under s13 of the DPA. Instead, the court ruled that it was sufficient for a claimant to establish that he/she has suffered 'distress'. Whilst Google has sought permission to appeal this decision to the Supreme Court, the decision of the Court of Appeal will inevitably result in significant change in relation to the number of claims being made under the DPA where pecuniary loss is not necessarily relevant and, in relation to, how those claims are handled. Key Points This preliminary ruling may have serious consequences for the online advertising industry and the search engines which facilitate it. Whilst it was acknowledged by the courts and counsel for the claimants that the damages in this case might be small, the issues of principle are clearly large. With the recent EU announcement that Google may be investigated for alleged anti-competitive behaviour, it seems the authorities are closely watching the way in which our online activities are monitored. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.Fri, 24 Apr 2015 00:00:00 +0100<![CDATA[Harriet Campbell Nicky Jenkins ]]><![CDATA[ Last month saw the Court of Appeal upholding the judgment of the High Court that 3 claimants resident in England could bring claims in England against US-based Google Inc for misuse of private information and breach of the Data Protection Act 1998 (DPA). This landmark judgment clarifies the law on misuse of private information and also potentially paves the way for compensation claims from individuals under the DPA in relation to data collected by third party cookies. Background The claimants are based in England and were users of the Safari web browser on Apple computers. In essence, the claimants' complaint was that Google had caused them distress and anxiety by enabling advertisers (through the installation of third party cookies) to send them targeted adverts (some of which related to sensitive personal data) which might have been viewed by third parties who had used or seen their Apple devices. The cookies in question secretly tracked online behaviour and stored private information known as Browser Generated Information, or BGI. Google's double-click service then allowed subscribing advertisers to collect BGI and send targeted advertising. Safari blocks third-party cookies by default and Google's publicly stated position was that third party cookies could not be enabled without Safari users' consent. The claimants therefore assumed that when they used Safari, there were no third party cookies storing private information and that there was no risk of targeted adverts relating to their private information being sent. Misuse of Private Information These proceedings arose because of the need for permission to serve on Google out of the jurisdiction. To obtain that permission, the claimants had to establish (amongst other things) that there was a good arguable case that their claim was made in tort (not in the equitable doctrine of breach of confidence) and that the damage was sustained within the jurisdiction. Since the coming into force of the Human Rights Act in 1988, the courts have grappled with the concept of introducing a law of privacy in this country. Previously, attempts have been made to categorise privacy claims as a species of breach of confidence claim rather than a standalone tort. In this judgment, however, following substantial legal argument spanning several years the Court of Appeal has finally confirmed that there is a tort of misuse of private information. Whilst this decision had been presaged in earlier case law, there remained a lingering doubt about the status of this cause of action which has now, finally, been laid to rest. Data Protection Act 1988 (DPA) Section 13 of the DPA gives individuals the right to claim compensation for damages arising out of a breach of the DPA. However, section 13(2) of the DPA goes on to say that damages may also be recovered for distress in limited circumstances including where the individual also suffers 'damage' by reason of the contravention. This distinction between damage a distress does not appear in the Data Protection Directive from which the DPA is derived and has been the subject of much debate and case law in which section 13 has, historically, been interpreted as meaning that compensation could only be claimed for distress where financial loss had also been suffered. As a result, very few compensation claims were brought under section 13 of the DPA because the majority of breaches of the DPA lead to distress and not necessarily financial loss. The application of section 13(2) therefore served as a barrier preventing individuals from bringing claims The Court of Appeal's judgment in this case has significantly changed the application and interpretation of section 13 of the DPA by recognising that the aim of the Data Protection Directive is not to protect economic rights and the fact that it has been interpreted as such has meant that many individuals have been unable to gain redress in circumstances where their rights to privacy have been breached. As a result of this ruling, it has now been established that a claimant does not have to prove pecuniary damage to successfully bring a claim under s13 of the DPA. Instead, the court ruled that it was sufficient for a claimant to establish that he/she has suffered 'distress'. Whilst Google has sought permission to appeal this decision to the Supreme Court, the decision of the Court of Appeal will inevitably result in significant change in relation to the number of claims being made under the DPA where pecuniary loss is not necessarily relevant and, in relation to, how those claims are handled. Key Points This preliminary ruling may have serious consequences for the online advertising industry and the search engines which facilitate it. Whilst it was acknowledged by the courts and counsel for the claimants that the damages in this case might be small, the issues of principle are clearly large. With the recent EU announcement that Google may be investigated for alleged anti-competitive behaviour, it seems the authorities are closely watching the way in which our online activities are monitored. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.]]>{214DE060-021F-45F0-8690-933021CD299B}https://www.shoosmiths.co.uk/client-resources/legal-updates/privacy-watchdog-baring-its-teeth-to-protect-consumers-9544.aspx Privacy watchdog: baring its teeth to protect consumers In our increasingly complex world information security and data misuse is under ever greater scrutiny. As two investigations are launched by the Information Commissioner's Office ('ICO'), a significant fine is imposed on the Serious Fraud Office and allegations of data security breaches make national headlines, one cannot help but wonder if this spike in awareness is a sign of things to come. What has been happening? Over the years, we have seen an increase in data security breaches making their way into the public domain however, there have been few (if any) weeks where the news has been so heavily dominated by headlines relating to the misuse of data. On 26 March, the ICO issued a fine of £180,000 against the Serious Fraud Office after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people. In particular (in just over 2 years) the witness was sent in excess of 2,000 evidence bags where 407 of those bags included information about third parties including information showing payments made to those individuals, hospital invoices, DVLA documents and passport details. During its investigation, the ICO discovered that information being returned to the witness had been prepared by a temporary worker who had received minimal training and had no direct supervision. This incident has been quickly followed by the ICO having to launch 2 separate investigations after allegations have been made regarding the sale of pension information and medical information for as little as 5p per individual. This exposes individuals to significant risk at a time when pension reforms are on the horizon which could result in pensioners being targeted with scams at a time when they can access their full pension pots. As a result of these allegations and evidence produced to the ICO, the ICO announced that it will be making enquiries to establish whether or not the Data Protection Act and/or the Privacy and Electronic Communications Regulations have been breached. Steve Eckersley, Head of Enforcement at the ICO commented that: 'What the Daily Mail has shown us is very worrying indeed. It suggests a frequent disregard of laws that are in place specifically to protect consumers. We will be launching an investigation immediately.' The claim made by those involved is that this information was collected legitimately and can lawfully be sold. In relation to the alleged sale of medical information, he also stated: 'People rightly consider information about their health to be sensitive, and in a recent survey we found that half of people consider it to be extremely sensitive. To think such information could be in the hands of unscrupulous businesses looking to profit from it sends a shiver down the spine. We'll be looking into claims made by these companies to consider whether there has been any breach of data protection law.' This set against several well-known companies (including British Airways, GitHub and Slack) having been hit by cyber-attacks means that data security has been a critical issue for discussion this week. In the case of British Airways, it seems as though user accounts were accessed and individuals became aware when account information had been changed and/or their user accounts had been used without their knowledge. Unfortunately for British Airways, its handling of the incident has also been criticised by security experts who raised concerns about the technique used by British Airways to ask customers to reset their passwords. What can we learn from this week? There are a number of key lessons that we can take from this week: firstly, the ICO can and will impose fines for serious breaches. Failing to have adequate training and supervision in place to ensure compliance with the Data Protection Act and Privacy and Electronic Communications Regulations will not be tolerated. secondly, the ICO is taking a proactive approach and will take immediate action as and when it becomes aware of, or suspects that laws have been breached. thirdly, having adequate information security programs in place to prevent, detect and correct security breaches is of paramount importance. Having policies and procedures in place to ensure that such incidents are properly escalated, managed and resolved in order to ensure that personal (and other) data is protected is also vital. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Tue, 31 Mar 2015 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ In our increasingly complex world information security and data misuse is under ever greater scrutiny. As two investigations are launched by the Information Commissioner's Office ('ICO'), a significant fine is imposed on the Serious Fraud Office and allegations of data security breaches make national headlines, one cannot help but wonder if this spike in awareness is a sign of things to come. What has been happening? Over the years, we have seen an increase in data security breaches making their way into the public domain however, there have been few (if any) weeks where the news has been so heavily dominated by headlines relating to the misuse of data. On 26 March, the ICO issued a fine of £180,000 against the Serious Fraud Office after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people. In particular (in just over 2 years) the witness was sent in excess of 2,000 evidence bags where 407 of those bags included information about third parties including information showing payments made to those individuals, hospital invoices, DVLA documents and passport details. During its investigation, the ICO discovered that information being returned to the witness had been prepared by a temporary worker who had received minimal training and had no direct supervision. This incident has been quickly followed by the ICO having to launch 2 separate investigations after allegations have been made regarding the sale of pension information and medical information for as little as 5p per individual. This exposes individuals to significant risk at a time when pension reforms are on the horizon which could result in pensioners being targeted with scams at a time when they can access their full pension pots. As a result of these allegations and evidence produced to the ICO, the ICO announced that it will be making enquiries to establish whether or not the Data Protection Act and/or the Privacy and Electronic Communications Regulations have been breached. Steve Eckersley, Head of Enforcement at the ICO commented that: 'What the Daily Mail has shown us is very worrying indeed. It suggests a frequent disregard of laws that are in place specifically to protect consumers. We will be launching an investigation immediately.' The claim made by those involved is that this information was collected legitimately and can lawfully be sold. In relation to the alleged sale of medical information, he also stated: 'People rightly consider information about their health to be sensitive, and in a recent survey we found that half of people consider it to be extremely sensitive. To think such information could be in the hands of unscrupulous businesses looking to profit from it sends a shiver down the spine. We'll be looking into claims made by these companies to consider whether there has been any breach of data protection law.' This set against several well-known companies (including British Airways, GitHub and Slack) having been hit by cyber-attacks means that data security has been a critical issue for discussion this week. In the case of British Airways, it seems as though user accounts were accessed and individuals became aware when account information had been changed and/or their user accounts had been used without their knowledge. Unfortunately for British Airways, its handling of the incident has also been criticised by security experts who raised concerns about the technique used by British Airways to ask customers to reset their passwords. What can we learn from this week? There are a number of key lessons that we can take from this week: firstly, the ICO can and will impose fines for serious breaches. Failing to have adequate training and supervision in place to ensure compliance with the Data Protection Act and Privacy and Electronic Communications Regulations will not be tolerated. secondly, the ICO is taking a proactive approach and will take immediate action as and when it becomes aware of, or suspects that laws have been breached. thirdly, having adequate information security programs in place to prevent, detect and correct security breaches is of paramount importance. Having policies and procedures in place to ensure that such incidents are properly escalated, managed and resolved in order to ensure that personal (and other) data is protected is also vital. DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{06FBA2BF-6620-4D65-AD0F-F49BA3D812FD}https://www.shoosmiths.co.uk/client-resources/legal-updates/contractual-terms-protect-database-practical-alternative-copyright-9083.aspxContractual terms to protect your database - a practical alternative to copyright The Court of Justice of the European Union (CJEU) has handed down a ruling that may significantly affect owners of databases of information who wish to restrict how their data is used and those who make use of such databases. The CJEU has ruled that the owner of a database can contractually limit the use of the database if it does not fall within the statutory protection given by the Database Directive. The Database Directive Under the Directive, a lawful user of a database can use it for what would otherwise be 'restricted acts' (such as reproducing, translating, distributing or communicating to the public the contents of the database) that are necessary for the purposes of access to the contents of the database and provided that they constitute 'normal use'. In addition, where a database is made available to the public (e.g. on a website), the database owner can't prevent a lawful user from extracting or reusing insubstantial parts of the database provided that it is a 'normal exploitation' of the database and does not prejudice the database owner's legitimate interests or prejudice their rights as copyright owner. Article 15 of the Database Directive specifically stops a database owner from putting anything in their terms and conditions that stops this and says that any such terms and conditions will be void. The ruling In the case between Ryanair and Dutch company PR Aviation which resulted in the recent ruling, PR Aviation ran a price comparison website allowing users to compare and then book low cost flights without ever visiting the airline's own website. They had obtained the price and flight data from Ryanair's website, which terms and conditions stated that any price comparison websites should enter into a licence of Ryanair's database of flight price and timetable information. PR Aviation had not done this. Ryanair brought a claim for infringement of its rights in its flight information data, as well as for breach of the website terms and conditions. Proceedings were referred to the CJEU, asking whether the Directive (and in particular the provisions preventing contractual limitations) extend to databases which are not protected by copyright or by database right. The CJEU ruled that they do not, and that databases which fall outside of the Directive can contractually restrict users in a way owners of protected databases cannot. When does a database fall within the Directive? A database is defined as 'a collection of independent works, data or other materials arranged in a systematic or methodical way and accessible by electronic or other means'. In this case the database was a website containing flight information. A database will be protected by copyright if, by reason of the selection or arrangement of its contents, the database constitutes the owners own original work. The bar for originality is low, and the Directive has clarified that the copyright protects the structure of the database, rather than the data itself. Database right exists independently of copyright and protects the compilation of information itself. It will apply when there has been a 'substantial investment in obtaining, verifying or presenting the contents of the database'. Because of the requirement of 'substantial investment', companies who create a database using their own data will not likely not be protected by database right, unless they made more investment in the database then just creating or collecting the data. What does this mean? If the data is not therefore protected by copyright or database right (for example because it consists of the database creators own data and no extra investment has been made in compiling the data) then this decision will apply, and the database owner will be able to contractually limit what its lawful users do with the data. This could be very relevant to both database owners and users alike, and in particular as in this case to price comparison businesses, businesses who sell third party products or services directly to consumers, and indeed businesses whose goods and services are sold by third parties. Owners of a database that does not fall within the scope of protection of the Directive will have contractual means to control their data, meaning that they could make it difficult for the likes of price comparison websites by restricting their ability to make use of data without a licence or potentially at all. Such businesses will need clarity on whether their database falls within the Directive in order to be clear on what they can limit users from doing in their terms and conditions. What should I do? The value of databases can be easily overlooked but sensible technical and practical measures (encryption, password protection, limiting access) should be taken to protect valuable datasets Ensure that databases are regularly maintained - the duration of database right, if it exists, will be refreshed every time a substantial update is made to the content Make sure that any database or dataset you make available, whether on a one-off basis or the whole world via a website, has a copyright notice attached and is protected by contractual terms of use to which the user is clearly directed DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Wed, 28 Jan 2015 00:00:00 Z<![CDATA[ The Court of Justice of the European Union (CJEU) has handed down a ruling that may significantly affect owners of databases of information who wish to restrict how their data is used and those who make use of such databases. The CJEU has ruled that the owner of a database can contractually limit the use of the database if it does not fall within the statutory protection given by the Database Directive. The Database Directive Under the Directive, a lawful user of a database can use it for what would otherwise be 'restricted acts' (such as reproducing, translating, distributing or communicating to the public the contents of the database) that are necessary for the purposes of access to the contents of the database and provided that they constitute 'normal use'. In addition, where a database is made available to the public (e.g. on a website), the database owner can't prevent a lawful user from extracting or reusing insubstantial parts of the database provided that it is a 'normal exploitation' of the database and does not prejudice the database owner's legitimate interests or prejudice their rights as copyright owner. Article 15 of the Database Directive specifically stops a database owner from putting anything in their terms and conditions that stops this and says that any such terms and conditions will be void. The ruling In the case between Ryanair and Dutch company PR Aviation which resulted in the recent ruling, PR Aviation ran a price comparison website allowing users to compare and then book low cost flights without ever visiting the airline's own website. They had obtained the price and flight data from Ryanair's website, which terms and conditions stated that any price comparison websites should enter into a licence of Ryanair's database of flight price and timetable information. PR Aviation had not done this. Ryanair brought a claim for infringement of its rights in its flight information data, as well as for breach of the website terms and conditions. Proceedings were referred to the CJEU, asking whether the Directive (and in particular the provisions preventing contractual limitations) extend to databases which are not protected by copyright or by database right. The CJEU ruled that they do not, and that databases which fall outside of the Directive can contractually restrict users in a way owners of protected databases cannot. When does a database fall within the Directive? A database is defined as 'a collection of independent works, data or other materials arranged in a systematic or methodical way and accessible by electronic or other means'. In this case the database was a website containing flight information. A database will be protected by copyright if, by reason of the selection or arrangement of its contents, the database constitutes the owners own original work. The bar for originality is low, and the Directive has clarified that the copyright protects the structure of the database, rather than the data itself. Database right exists independently of copyright and protects the compilation of information itself. It will apply when there has been a 'substantial investment in obtaining, verifying or presenting the contents of the database'. Because of the requirement of 'substantial investment', companies who create a database using their own data will not likely not be protected by database right, unless they made more investment in the database then just creating or collecting the data. What does this mean? If the data is not therefore protected by copyright or database right (for example because it consists of the database creators own data and no extra investment has been made in compiling the data) then this decision will apply, and the database owner will be able to contractually limit what its lawful users do with the data. This could be very relevant to both database owners and users alike, and in particular as in this case to price comparison businesses, businesses who sell third party products or services directly to consumers, and indeed businesses whose goods and services are sold by third parties. Owners of a database that does not fall within the scope of protection of the Directive will have contractual means to control their data, meaning that they could make it difficult for the likes of price comparison websites by restricting their ability to make use of data without a licence or potentially at all. Such businesses will need clarity on whether their database falls within the Directive in order to be clear on what they can limit users from doing in their terms and conditions. What should I do? The value of databases can be easily overlooked but sensible technical and practical measures (encryption, password protection, limiting access) should be taken to protect valuable datasets Ensure that databases are regularly maintained - the duration of database right, if it exists, will be refreshed every time a substantial update is made to the content Make sure that any database or dataset you make available, whether on a one-off basis or the whole world via a website, has a copyright notice attached and is protected by contractual terms of use to which the user is clearly directed DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{F33D9043-A439-4917-A5B8-1B1B319B7D81}https://www.shoosmiths.co.uk/client-resources/legal-updates/ico-issues-enforcement-notice-office-data-security-breach-9027.aspxICO issues Enforcement Notice in response to Office data security breach Shoe retailer, Office, has become the latest retailer to have its knuckles wrapped by the Information Commissioner's Office (ICO) following a data protection breach which resulted in more than one million customer records being exposed. Background On 29 May 2014, the ICO was informed that a member of the public had hacked into an unencrypted historic database owned by Office. The database involved was in the process of being de-commissioned and was being held on a legacy server outside the core infrastructure of its current website. Whilst certain technical measures were in place in order to minimise the risk of a data security breach taking place, these measures were not adequate and, as a result, a hacker was able to gain access to personal data relating to more than one million customers including their contact details and website passwords. No financial information was accessed. The reason why Office had chosen to retain this historic information (some of which had become inaccurate) was to mitigate the risks associated with migration to its new system. However, in hindsight they consider that this approach may have been overly cautious and that it was not strictly necessary to retain this information. What the Data ProtectionAct 1998 (Act) requires? Principles 5 and 7 of the Act require that organisations processing personal data: Do not store it for longer than necessary; and Put in place appropriate technical and organisational measures to protect it It was these two Principles which Office failed to satisfy. In particular, the ICO determined that Office had retained customer information held on the legacy database for longer than necessary and had failed to implement adequate security measures to protect it. It also noted that Office did not provide any formal data protection training to its staff and didn't have a data retention policy in place. What action did the ICO take? The ICO exercised its powers under Section 40 of the Act and issued an Enforcement Notice to the Office. In which, it ordered Office to enter into an Undertaking to ensure that personal data is processed in line with the fifth and seventh Data Protection Principles. In particular by:- Ensuring that all its websites and servers are subject to regular penetration testing Implementing new data protection policy documents within 3 months and ensuring that these include policies on the retention and disposal of customer data Providing formal training to all its employees along with refresher training at regular intervals; and Implementing such other security measures as are appropriate to ensure that personal data is protected What can you do? If you are concerned about whether or not your organisation is complying with the requirements of the Act or are unsure about what exactly the Act requires, please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Thu, 22 Jan 2015 00:00:00 Z<![CDATA[Nicky Jenkins ]]><![CDATA[ Shoe retailer, Office, has become the latest retailer to have its knuckles wrapped by the Information Commissioner's Office (ICO) following a data protection breach which resulted in more than one million customer records being exposed. Background On 29 May 2014, the ICO was informed that a member of the public had hacked into an unencrypted historic database owned by Office. The database involved was in the process of being de-commissioned and was being held on a legacy server outside the core infrastructure of its current website. Whilst certain technical measures were in place in order to minimise the risk of a data security breach taking place, these measures were not adequate and, as a result, a hacker was able to gain access to personal data relating to more than one million customers including their contact details and website passwords. No financial information was accessed. The reason why Office had chosen to retain this historic information (some of which had become inaccurate) was to mitigate the risks associated with migration to its new system. However, in hindsight they consider that this approach may have been overly cautious and that it was not strictly necessary to retain this information. What the Data ProtectionAct 1998 (Act) requires? Principles 5 and 7 of the Act require that organisations processing personal data: Do not store it for longer than necessary; and Put in place appropriate technical and organisational measures to protect it It was these two Principles which Office failed to satisfy. In particular, the ICO determined that Office had retained customer information held on the legacy database for longer than necessary and had failed to implement adequate security measures to protect it. It also noted that Office did not provide any formal data protection training to its staff and didn't have a data retention policy in place. What action did the ICO take? The ICO exercised its powers under Section 40 of the Act and issued an Enforcement Notice to the Office. In which, it ordered Office to enter into an Undertaking to ensure that personal data is processed in line with the fifth and seventh Data Protection Principles. In particular by:- Ensuring that all its websites and servers are subject to regular penetration testing Implementing new data protection policy documents within 3 months and ensuring that these include policies on the retention and disposal of customer data Providing formal training to all its employees along with refresher training at regular intervals; and Implementing such other security measures as are appropriate to ensure that personal data is protected What can you do? If you are concerned about whether or not your organisation is complying with the requirements of the Act or are unsure about what exactly the Act requires, please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk DisclaimerThis document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. ]]>{D648B3C0-D1C6-47F1-A194-41270B6E6E09}https://www.shoosmiths.co.uk/client-resources/legal-updates/are-you-collecting-the-right-marketing-consents-7756.aspxAre you collecting the right marketing consents? Well-known chain store John Lewis has been ordered to pay damages to an individual who received marketing emails without having consented to receiving them. This case, which is likely to make many organisations reconsider whether or not the consents they have obtained are adequate, highlights the adverse implications that failing to market in accordance with the law, can have on any business. The law The use of personal data for marketing campaigns is governed by the Data Protection Act 1998 (the "Act") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). They state that personal data must be processed fairly and lawfully and for specified purposes. Generally, this means that organisations must obtain consent to use individuals' personal data for specific purposes. In the context of marketing, the type of consent that must be obtained depends on the nature of the marketing campaign to be carried out. In summary:- For post and/or telephone marketing campaigns, consent can be in the form of an 'opt-out' consent. This means that, provided individuals are informed of your intention to contact them, the method of contact and the purposes of contact and provided individuals have the opportunity to decline from being contacted, an organisation can contact them unless they have declined from receiving it. For email, fax or sms marketing campaigns, consent must be in the form of an 'opt-in' consent. This means that individuals must be informed of the method of contact and purposes of contact and must then take a positive step to confirm that they consent to being contacted in that way. If they do not take a positive step to confirm consent, they should not be contacted. The exception There is an exception to the rules above and where it applies, marketing can be sent by email, fax or sms based on an 'opt-out' consent. This exception is known as the 'soft-opt in' and in order for this to apply:- contact details must have been collected during the sale or negotiation for the sale of goods or services; subsequent marketing must relate to the same or similar goods or services; and the individual must be given the opportunity to opt-out at the time their information was collected and on each subsequent occasion where they are contacted. What has happened here? In this instance, it would appear that John Lewis either failed to draw the distinction between the different types of marketing campaign or adopted an extremely broad view of how the 'soft-opt in' exemption can be applied. As a result, the consents obtained were not adequate and their use of customer information for marketing purposes was deemed unlawful. Not only has this resulted in John Lewis being ordered to pay damages but will also inevitably result in adverse media attention and therefore negative publicity and brand damage. What should you do? If you are unsure as to whether or not the consents you have collected from your customers are adequate and/or valid please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk for assistance. Wed, 04 Jun 2014 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ Well-known chain store John Lewis has been ordered to pay damages to an individual who received marketing emails without having consented to receiving them. This case, which is likely to make many organisations reconsider whether or not the consents they have obtained are adequate, highlights the adverse implications that failing to market in accordance with the law, can have on any business. The law The use of personal data for marketing campaigns is governed by the Data Protection Act 1998 (the "Act") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). They state that personal data must be processed fairly and lawfully and for specified purposes. Generally, this means that organisations must obtain consent to use individuals' personal data for specific purposes. In the context of marketing, the type of consent that must be obtained depends on the nature of the marketing campaign to be carried out. In summary:- For post and/or telephone marketing campaigns, consent can be in the form of an 'opt-out' consent. This means that, provided individuals are informed of your intention to contact them, the method of contact and the purposes of contact and provided individuals have the opportunity to decline from being contacted, an organisation can contact them unless they have declined from receiving it. For email, fax or sms marketing campaigns, consent must be in the form of an 'opt-in' consent. This means that individuals must be informed of the method of contact and purposes of contact and must then take a positive step to confirm that they consent to being contacted in that way. If they do not take a positive step to confirm consent, they should not be contacted. The exception There is an exception to the rules above and where it applies, marketing can be sent by email, fax or sms based on an 'opt-out' consent. This exception is known as the 'soft-opt in' and in order for this to apply:- contact details must have been collected during the sale or negotiation for the sale of goods or services; subsequent marketing must relate to the same or similar goods or services; and the individual must be given the opportunity to opt-out at the time their information was collected and on each subsequent occasion where they are contacted. What has happened here? In this instance, it would appear that John Lewis either failed to draw the distinction between the different types of marketing campaign or adopted an extremely broad view of how the 'soft-opt in' exemption can be applied. As a result, the consents obtained were not adequate and their use of customer information for marketing purposes was deemed unlawful. Not only has this resulted in John Lewis being ordered to pay damages but will also inevitably result in adverse media attention and therefore negative publicity and brand damage. What should you do? If you are unsure as to whether or not the consents you have collected from your customers are adequate and/or valid please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk for assistance. ]]>{DA43CCC7-2B69-4CF2-A084-CF4DEBD5AFE8}https://www.shoosmiths.co.uk/news/press-releases/handling-data-securely-is-vital-advises-expert-7686.aspxHandling data securely is vital, advises expert Shoosmiths' head of data protection, Aisling Duffy, has advised companies holding data to protect it carefully. Download hi-res image Aisling Duffy This week ebay became the latest household name to suffer a serious data security breach which may have compromised the security of personal data relating to millions of its customers. The national law firm has a range of expert lawyers working in the field. Head of Shoosmiths' data protection team, Aisling Duffy, said that the fact the incident was not detected for 2 months after taking place generated most concern. Aisling said: 'Sources indicate that this data security breach took place in late February and early March and that, as a result, hackers gained access to user names, email addresses, residential addresses, phone numbers and dates of birth of many customers who are obviously concerned that ebay failed to take appropriate steps to mitigate and manage the impact of the breach. 'Whilst many high profile data security breaches have been publicised in recent years, it is the impression that large and highly profitable organisations which process significant amounts of personal data, are not taking steps to ensure that data is adequately protected and to be able to properly manage a breach should it take place, that causes most concern and is likely to lead to lasting brand damage.' Shoosmiths' expert data protection team recommends that companies ask themselves these important questions: Does your organisation have security measures in place to protect the data you hold? Are those measures adequate? What measures are in place to ensure that, if data is compromised, this will be detected? Do you have a data security breach management policy in place to ensure that any such incident is dealt with in a timely and comprehensive manner? Fri, 23 May 2014 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ Shoosmiths' head of data protection, Aisling Duffy, has advised companies holding data to protect it carefully. Download hi-res image Aisling Duffy This week ebay became the latest household name to suffer a serious data security breach which may have compromised the security of personal data relating to millions of its customers. The national law firm has a range of expert lawyers working in the field. Head of Shoosmiths' data protection team, Aisling Duffy, said that the fact the incident was not detected for 2 months after taking place generated most concern. Aisling said: 'Sources indicate that this data security breach took place in late February and early March and that, as a result, hackers gained access to user names, email addresses, residential addresses, phone numbers and dates of birth of many customers who are obviously concerned that ebay failed to take appropriate steps to mitigate and manage the impact of the breach. 'Whilst many high profile data security breaches have been publicised in recent years, it is the impression that large and highly profitable organisations which process significant amounts of personal data, are not taking steps to ensure that data is adequately protected and to be able to properly manage a breach should it take place, that causes most concern and is likely to lead to lasting brand damage.' Shoosmiths' expert data protection team recommends that companies ask themselves these important questions: Does your organisation have security measures in place to protect the data you hold? Are those measures adequate? What measures are in place to ensure that, if data is compromised, this will be detected? Do you have a data security breach management policy in place to ensure that any such incident is dealt with in a timely and comprehensive manner? ]]>{827199F6-6708-4195-A6CB-B6BD7A1F15A8}https://www.shoosmiths.co.uk/client-resources/legal-updates/eu-data-protection-reform-the-removal-red-tape-smes-7485.aspxEU Data Protection Reform - The removal of red tape for SMEs One step closer to implementation of the reforms relating to EU data protection regulation, this article looks at some of the implications that the reforms are likely to have for SMEs. Key progress was made in the reform of EU data protection regulation on 12 March 2014 with the European Parliament voting in support of reform and the draft General Data Protection Regulation (the "Regulation"). The Regulation must now be adopted by the Council of Ministers in order to become law. At the earliest, this is expected to take place at the end of this year, with the deadline for member states to bring the Regulation into effect by 2016. The reforms aim to bring the existing 19 year old principles into line with the modern data protection environment and to address the ever increasing conflict between online and digital data processing, on one hand and the right of individuals to retain control over their personal data, on the other. There will also be a benefit for organisations that operate across international borders in having a consistent system for data protection regulation throughout the EU - one law, as opposed to 28! Reform The European Parliament also took the opportunity to enhance the protections in the Regulation with a view to restoring consumer trust. For example, to provide better protection against surveillance, organisations will need authorisation from the relevant national data protection authority before providing any EU citizen's personal data to another jurisdiction. One of the aims of the Regulation is to move towards a privacy by design approach, as part of which, organisations will need to build safeguards into their structures and operations from an early stage in order to comply with the Regulation. This, along with a number of the other reforms, will require organisations to start taking action in readiness for the changes coming into effect. The Regulation provides that EU data protection authorities (such as the Information Commissioner's Office ("the ICO") in the UK) will have the power to fine organisations who fail to comply, based on their global annual turnover. The European Commission had proposed fines of up to 2% of the global annual turnover of the organisation in breach. However, MEPs have now increased this to #100 million or 5% of global annual turnover, whichever is greater. What about SMEs The new focus is aimed at improving the level of control that individuals' have over their personal data whilst at the same time encouraging growth amongst European businesses by reducing red tape and its associated costs. This appears at first glance to be a contradiction, however, some exemptions from the Regulation's provisions have been made for SMEs: Data Protection Officers - If data processing is not a SMEs core business activity it will not be required to appoint a data protection officer. No more notifications - the obligation to notify annually will be removed entirely and, as such, organisations will not be required to complete this task or pay the costs associated with it. Fees - Organisations will be able to charge a fee for excessive or repetitive requests to access data. Impact Assessments - Unless there is a specific risk SMEs will not be obliged to carry out an impact assessment. In addition to these exemptions, having one consistent approach to regulation across the EU should stimulate growth amongst SMEs, particularly as it should become easier to: establish an office or branch in another EU country employ local staff deal with subsequent flows of personal data across jurisdictions The Regulation is also intended to be applied in a flexible way and, we are informed, will take a risk based approach. In particular, it is envisaged that the rules will be applied taking account of risk so as to ensure that SMEs processing small amounts of personal data, are not treated in the same way as a large multinational processing significant amounts of personal data. One example given by the European Commission is that SMEs would not be fined for an initial non intentional breach. What about the UK? The ICO has recently published its corporate plan for 2014-2017 (the "Plan") which includes objectives relating to the publishing of greater detail on the outcome of complaints as well as monitoring response times to subject access requests. In the interim therefore it is clear that organisations will need to continue to ensure that they are operating in compliance with the Data Protection Act 1998. The Plan does however also refer to preparation for the implementation of the Regulation which the ICO considers will require "substantial change". The ICO is expected to publish further guidance in October this year. Contact us If you would like to discuss the proposed Regulation and what your organisation, whatever size, should be doing in order to ensure that it is ready for reform or you need advice on data protection compliance now, please contact either Aisling Duffy on 03700865089 aisling.duffy@shoosmiths.co.uk or Pamela Morris on 03700866756 pamela.morris@shoosmiths.co.uk . All aspects of advice and support for start ups and SMEs can also provided, whether you need guidance on employing staff or filing your company, please contact Helen Burgess on 03700 86 5028 helen.burgess@shoosmiths.co.uk. Tue, 29 Apr 2014 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ One step closer to implementation of the reforms relating to EU data protection regulation, this article looks at some of the implications that the reforms are likely to have for SMEs. Key progress was made in the reform of EU data protection regulation on 12 March 2014 with the European Parliament voting in support of reform and the draft General Data Protection Regulation (the "Regulation"). The Regulation must now be adopted by the Council of Ministers in order to become law. At the earliest, this is expected to take place at the end of this year, with the deadline for member states to bring the Regulation into effect by 2016. The reforms aim to bring the existing 19 year old principles into line with the modern data protection environment and to address the ever increasing conflict between online and digital data processing, on one hand and the right of individuals to retain control over their personal data, on the other. There will also be a benefit for organisations that operate across international borders in having a consistent system for data protection regulation throughout the EU - one law, as opposed to 28! Reform The European Parliament also took the opportunity to enhance the protections in the Regulation with a view to restoring consumer trust. For example, to provide better protection against surveillance, organisations will need authorisation from the relevant national data protection authority before providing any EU citizen's personal data to another jurisdiction. One of the aims of the Regulation is to move towards a privacy by design approach, as part of which, organisations will need to build safeguards into their structures and operations from an early stage in order to comply with the Regulation. This, along with a number of the other reforms, will require organisations to start taking action in readiness for the changes coming into effect. The Regulation provides that EU data protection authorities (such as the Information Commissioner's Office ("the ICO") in the UK) will have the power to fine organisations who fail to comply, based on their global annual turnover. The European Commission had proposed fines of up to 2% of the global annual turnover of the organisation in breach. However, MEPs have now increased this to #100 million or 5% of global annual turnover, whichever is greater. What about SMEs The new focus is aimed at improving the level of control that individuals' have over their personal data whilst at the same time encouraging growth amongst European businesses by reducing red tape and its associated costs. This appears at first glance to be a contradiction, however, some exemptions from the Regulation's provisions have been made for SMEs: Data Protection Officers - If data processing is not a SMEs core business activity it will not be required to appoint a data protection officer. No more notifications - the obligation to notify annually will be removed entirely and, as such, organisations will not be required to complete this task or pay the costs associated with it. Fees - Organisations will be able to charge a fee for excessive or repetitive requests to access data. Impact Assessments - Unless there is a specific risk SMEs will not be obliged to carry out an impact assessment. In addition to these exemptions, having one consistent approach to regulation across the EU should stimulate growth amongst SMEs, particularly as it should become easier to: establish an office or branch in another EU country employ local staff deal with subsequent flows of personal data across jurisdictions The Regulation is also intended to be applied in a flexible way and, we are informed, will take a risk based approach. In particular, it is envisaged that the rules will be applied taking account of risk so as to ensure that SMEs processing small amounts of personal data, are not treated in the same way as a large multinational processing significant amounts of personal data. One example given by the European Commission is that SMEs would not be fined for an initial non intentional breach. What about the UK? The ICO has recently published its corporate plan for 2014-2017 (the "Plan") which includes objectives relating to the publishing of greater detail on the outcome of complaints as well as monitoring response times to subject access requests. In the interim therefore it is clear that organisations will need to continue to ensure that they are operating in compliance with the Data Protection Act 1998. The Plan does however also refer to preparation for the implementation of the Regulation which the ICO considers will require "substantial change". The ICO is expected to publish further guidance in October this year. Contact us If you would like to discuss the proposed Regulation and what your organisation, whatever size, should be doing in order to ensure that it is ready for reform or you need advice on data protection compliance now, please contact either Aisling Duffy on 03700865089 aisling.duffy@shoosmiths.co.uk or Pamela Morris on 03700866756 pamela.morris@shoosmiths.co.uk . All aspects of advice and support for start ups and SMEs can also provided, whether you need guidance on employing staff or filing your company, please contact Helen Burgess on 03700 86 5028 helen.burgess@shoosmiths.co.uk. ]]>{B56B5EA2-E990-494B-946D-2763C5047C4F}https://www.shoosmiths.co.uk/client-resources/legal-updates/a-new-dawn-for-defamation-6561.aspxA new dawn for defamation? The Defamation Act 2013 comes into force on 1 January 2014. We provide details of the new regulations that will govern website operators when on notice of a complaint about online material. In our original update, we reported on the main changes and obstacles for companies arising out of the Act. New regulations for website operators New regulations - also in force from 1 January - set out the procedure when notice of complaint is received. If the procedure is followed, a website operator (an operator) will have a complete defence under Section 5 of the Act in relation to the material complained of in the notice. Initial response to complaint: action required by website operator within 48 hours Within 48 hours of receiving a notice of complaint, an operator must: remove the offending post from its site if it cannot contact the poster electronically if the operator has contact details, it must send the poster a copy of the notice (with the complainant's name and email address redacted unless consent has been given to disclose them) together with a warning that the offending post will be removed from the website unless the poster informs the operator in writing within five days that it objects to such removal. If an objection is notified, the poster must provide their full name, postal address and confirm whether the operator may disclose these details to the complainant send the complainant written acknowledgment of the complaint, confirming the action taken i.e. the complaint has been passed to the poster or the post has been removed from the operator's website If the poster does not respond within five days If the poster does not respond within five days, the operator must remove the post from the site and write to the complainant confirming this has been done. If the poster provides an inadequate response within five days If the poster responds within five days, but the response is missing required information, such as contact information, the operator must remove the offending post within 48 hours of receiving the defective response. Written confirmation of this action must then be sent to the complainant. If the operator believes that the contact information provided by the poster is false, the operator can treat the response as defective. If the poster provides an adequate response within five days If the poster responds saying it wishes the post to be removed from the site, the operator must remove it within 48 hours of receiving the response. However, if the poster objects to the removal of the post, the operator must inform the complainant of the objection within 48 hours of its receipt and confirm that the post will remain on the site. The operator is also required to send the poster's contact details to the complainant, or if consent has been withheld, to tell the complainant that the poster has refused consent for disclosure of these details. Exception for persistent posting of same material There is a short cut available where the same or substantially the same material is repeatedly posted on an operator's website and that material has already been removed following the procedure prescribed by the regulations. If when sending its notice, the complainant tells the operator that it has already complained about the material more than once, the operator must remove the post from the website within 48 hours. In these circumstances, there is no need to go through the prescribed procedure. Practical effect of the regulations The regulations will be welcomed by operators because they provide a clear process culminating in a complete defence in respect of defamatory posts on their website. They will be of use to complainants in cases where the poster helpfully ignores the notice of complaint, because they provide a route to the desired outcome - website takedown. However, they are of little use to complainants where a poster stands by his post (for instance asserting defences such as truth or honest opinion) and objects to take down, particularly where the poster at the same time refuses to allow his contact details to be passed on. The complainant will have to sue the poster directly, where relevant having first obtained a court order against the operator for disclosure of contact details. Overall, the regulations provide a complex procedural matrix for website operators and complainants alike, with some degree of administrative burden. They do not provide complainants with a guaranteed route to either website takedown or contact details. Whether you are a website operator or a complainant, you should seek legal advice if you are in any doubt about what to do. Mon, 16 Dec 2013 00:00:00 Z<![CDATA[Kath Livingston ]]><![CDATA[ The Defamation Act 2013 comes into force on 1 January 2014. We provide details of the new regulations that will govern website operators when on notice of a complaint about online material. In our original update, we reported on the main changes and obstacles for companies arising out of the Act. New regulations for website operators New regulations - also in force from 1 January - set out the procedure when notice of complaint is received. If the procedure is followed, a website operator (an operator) will have a complete defence under Section 5 of the Act in relation to the material complained of in the notice. Initial response to complaint: action required by website operator within 48 hours Within 48 hours of receiving a notice of complaint, an operator must: remove the offending post from its site if it cannot contact the poster electronically if the operator has contact details, it must send the poster a copy of the notice (with the complainant's name and email address redacted unless consent has been given to disclose them) together with a warning that the offending post will be removed from the website unless the poster informs the operator in writing within five days that it objects to such removal. If an objection is notified, the poster must provide their full name, postal address and confirm whether the operator may disclose these details to the complainant send the complainant written acknowledgment of the complaint, confirming the action taken i.e. the complaint has been passed to the poster or the post has been removed from the operator's website If the poster does not respond within five days If the poster does not respond within five days, the operator must remove the post from the site and write to the complainant confirming this has been done. If the poster provides an inadequate response within five days If the poster responds within five days, but the response is missing required information, such as contact information, the operator must remove the offending post within 48 hours of receiving the defective response. Written confirmation of this action must then be sent to the complainant. If the operator believes that the contact information provided by the poster is false, the operator can treat the response as defective. If the poster provides an adequate response within five days If the poster responds saying it wishes the post to be removed from the site, the operator must remove it within 48 hours of receiving the response. However, if the poster objects to the removal of the post, the operator must inform the complainant of the objection within 48 hours of its receipt and confirm that the post will remain on the site. The operator is also required to send the poster's contact details to the complainant, or if consent has been withheld, to tell the complainant that the poster has refused consent for disclosure of these details. Exception for persistent posting of same material There is a short cut available where the same or substantially the same material is repeatedly posted on an operator's website and that material has already been removed following the procedure prescribed by the regulations. If when sending its notice, the complainant tells the operator that it has already complained about the material more than once, the operator must remove the post from the website within 48 hours. In these circumstances, there is no need to go through the prescribed procedure. Practical effect of the regulations The regulations will be welcomed by operators because they provide a clear process culminating in a complete defence in respect of defamatory posts on their website. They will be of use to complainants in cases where the poster helpfully ignores the notice of complaint, because they provide a route to the desired outcome - website takedown. However, they are of little use to complainants where a poster stands by his post (for instance asserting defences such as truth or honest opinion) and objects to take down, particularly where the poster at the same time refuses to allow his contact details to be passed on. The complainant will have to sue the poster directly, where relevant having first obtained a court order against the operator for disclosure of contact details. Overall, the regulations provide a complex procedural matrix for website operators and complainants alike, with some degree of administrative burden. They do not provide complainants with a guaranteed route to either website takedown or contact details. Whether you are a website operator or a complainant, you should seek legal advice if you are in any doubt about what to do. ]]>{B650A243-39E8-43A6-8231-15C718F330F4}https://www.shoosmiths.co.uk/client-resources/legal-updates/ministry-of-justice-fined-140k-for-sensitive-personal-data-breach-6286.aspxMinistry of Justice fined &#163;140k for &#39;sensitive personal data&#39; breach The Ministry of Justice has been fined £140,000 by the Information Commissioner's Office (ICO) for a serious breach of the Seventh Data Protection Principle. What happened? Details of all 1,182 prisoners at HMP Cardiff were emailed to the families of three inmates, when an inexperienced booking clerk copied and pasted a detailed spreadsheet into an email in error. HMP Cardiff only became aware of the breach when one recipient contacted the prison to say they had received an email with an attached spreadsheet containing inmate data, some of it sensitive personal information. An internal investigation by the prison revealed two similar incidents had happened in the previous month. The ICO concluded there was 'a clear lack of management oversight' at the prison; that the 'lack of audit trails also meant that the disclosures would have gone unnoticed'; and, more generally, that there were 'problems with the manner in which prisoners' records were handled'. In particular, the ICO found that the prison had failed to provide adequate training, suitable monitoring to supervise employees, clear and written procedures and checklists for data transfers, or to ensure procedures were adhered to. The fact the breach involved sensitive personal data and the distress it caused to inmates and their families was significant, affected the level of fine imposed. The ICO also said failure to have procedures in place to spot mistakes was an aggravating factor. Lessons can be learned Organisations processing personal data should consider whether or not they are leaving themselves exposed to the risk of a significant breach which could attract a fine. In particular: Do you provide adequate employee training to ensure they understand the Data Protection Act and its requirements? Are clear and written policies in place to guide employees? If so, do you monitor and enforce compliance with those policies? Do you have procedures in place to ensure mistakes are detected? Wed, 23 Oct 2013 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ The Ministry of Justice has been fined £140,000 by the Information Commissioner's Office (ICO) for a serious breach of the Seventh Data Protection Principle. What happened? Details of all 1,182 prisoners at HMP Cardiff were emailed to the families of three inmates, when an inexperienced booking clerk copied and pasted a detailed spreadsheet into an email in error. HMP Cardiff only became aware of the breach when one recipient contacted the prison to say they had received an email with an attached spreadsheet containing inmate data, some of it sensitive personal information. An internal investigation by the prison revealed two similar incidents had happened in the previous month. The ICO concluded there was 'a clear lack of management oversight' at the prison; that the 'lack of audit trails also meant that the disclosures would have gone unnoticed'; and, more generally, that there were 'problems with the manner in which prisoners' records were handled'. In particular, the ICO found that the prison had failed to provide adequate training, suitable monitoring to supervise employees, clear and written procedures and checklists for data transfers, or to ensure procedures were adhered to. The fact the breach involved sensitive personal data and the distress it caused to inmates and their families was significant, affected the level of fine imposed. The ICO also said failure to have procedures in place to spot mistakes was an aggravating factor. Lessons can be learned Organisations processing personal data should consider whether or not they are leaving themselves exposed to the risk of a significant breach which could attract a fine. In particular: Do you provide adequate employee training to ensure they understand the Data Protection Act and its requirements? Are clear and written policies in place to guide employees? If so, do you monitor and enforce compliance with those policies? Do you have procedures in place to ensure mistakes are detected? ]]>{D2A7868F-C991-43AC-9DCC-4D5CBE077ADD}https://www.shoosmiths.co.uk/news/press-releases/shoosmiths-launches-data-protection-e-learning-tool-6152.aspxShoosmiths launches data protection e-learning tool Data protection specialists at national law firm Shoosmiths have launched a data protection e-learning tool to help businesses which process personal data to stay within the law. Data Protection compliance is reaching the top of the governance agenda for many organisations. All businesses which process personal data must comply with Data Protection legislation and for some this is something of a black hole. Aisling Duffy, head of data protection at the firm said: "Failure to comply could have a significant impact on your business, resulting in an investigation and/or enforcement action by the Information Commissioner's Office - the regulator responsible for enforcing compliance with the Act. "Fines of up to £500,000 can be given for a serious breach, not to mention significant brand damage, plus loss of customer trust and confidence." Duffy continued: "Ultimately, organisations rely on their employees to comply with the requirements of the Act, but staff can only be expected to do so if they are aware of the Act, what it requires, and what this means in relation to their particular roles. "With this in mind, we've developed an interactive and user-friendly e-learning course that can be taken by employees at their work station, making it much easier for management to ensure employees are aware of and understand their obligations under the Act. "The tool contains an evaluation programme enabling organisations to demonstrate that employees are fully aware of the Act and, more importantly, understood the training they received. It will also let you track who has completed and passed the training - and who has not!" Because it is hosted by Shoosmiths, the e-learning tool requires minimum IT department involvement, and can: be adapted to include details of and links to your data protection policies contain your logo/branding and a senior management voiceover to emphasise the importance of compliance and your commitment to it notify results of the evaluation and generate management reports be accessed at any time via the internet Data protection & e learning from Shoosmiths LLPFri, 04 Oct 2013 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ Data protection specialists at national law firm Shoosmiths have launched a data protection e-learning tool to help businesses which process personal data to stay within the law. Data Protection compliance is reaching the top of the governance agenda for many organisations. All businesses which process personal data must comply with Data Protection legislation and for some this is something of a black hole. Aisling Duffy, head of data protection at the firm said: "Failure to comply could have a significant impact on your business, resulting in an investigation and/or enforcement action by the Information Commissioner's Office - the regulator responsible for enforcing compliance with the Act. "Fines of up to £500,000 can be given for a serious breach, not to mention significant brand damage, plus loss of customer trust and confidence." Duffy continued: "Ultimately, organisations rely on their employees to comply with the requirements of the Act, but staff can only be expected to do so if they are aware of the Act, what it requires, and what this means in relation to their particular roles. "With this in mind, we've developed an interactive and user-friendly e-learning course that can be taken by employees at their work station, making it much easier for management to ensure employees are aware of and understand their obligations under the Act. "The tool contains an evaluation programme enabling organisations to demonstrate that employees are fully aware of the Act and, more importantly, understood the training they received. It will also let you track who has completed and passed the training - and who has not!" Because it is hosted by Shoosmiths, the e-learning tool requires minimum IT department involvement, and can: be adapted to include details of and links to your data protection policies contain your logo/branding and a senior management voiceover to emphasise the importance of compliance and your commitment to it notify results of the evaluation and generate management reports be accessed at any time via the internet Data protection & e learning from Shoosmiths LLP]]>{ABD49DD3-2E15-442C-AACE-D28776841F2D}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-protection-reform-a-softening-of-approach-6030.aspxData protection reform: A softening of approach? Proposed data protection reforms have been the subject of much discussion, debate and lobbying since the draft regulation was first issued in January 2012. Much concern has been expressed about many of the proposed provisions, in particular the right to be forgotten, compulsory breach notification, the requirement for explicit consent, and increased fines that could be issued under the new regime. With the passage of time, however, and as a result of that discussion, debate and lobbying, the Irish Presidency drafted a compromise text in anticipation of the negotiations between the European Parliament and the Council of the European Union. This text, if accepted, would introduce some significant changes. Here we look at whether or not there has been a softening of approach. If so, is that likely to make life a little easier for organisations that process personal data and are caught by the Regulation? Breach notification There is no doubt that, in certain respects, efforts are being made to make the Regulation more user-friendly. Let us take breach notification as an example. The original draft Regulation provided that it was compulsory to notify the supervisory authority of every breach promptly and, where feasible, within 24 hours. This was the subject of much debate for a number of reasons, particularly because: the timescale was regarded as being unreasonable and appeared to shift emphasis away from the need to contain and remedy the breach and mitigate the risk to individuals, towards giving priority to the administrative task of notifying the regulator the obligation would apply to every single breach regardless of how minor it was and/or the level of risk (if any) it presented to individuals such a wide obligation to notify the regulator was likely to strain resources and lead to notification fatigue With this in mind, it is pleasing to note that the compromise text seeks to amend this obligation, so that organisations would only be required to notify the regulator of a breach where the breach is 'likely to severely affect the rights and freedoms of data subjects' and, where feasible, within 72 hours. This demonstrates a clear intention to make the obligation less cumbersome and more manageable. However, whilst it does attempt to introduce some threshold in relation to when the obligation to notify arises, organisations would still need clear guidance from regulators in order to be able to understand when the obligation arises. This shift of emphasis will, of course, provide organisations with some comfort. Without further guidance, though, it is likely organisations would still be faced with a difficult decision as to whether or not they are required to notify each breach to the regulator. Consent Another issue that has been the subject of change in the compromise text is consent. Under the current regime, explicit consent is only necessary where sensitive personal data is being processed. Where an organisation wishes to process 'ordinary' personal data, they are required to obtain consent which is 'fully informed and freely given' to process that personal data. The introduction of a definition of consent into the Regulation has caused quite a stir, not least because it stated that for any consent to be valid it must be 'explicit'. This change would have had significant implications for organisations that collect and process personal data, and would have resulted in them having to change many of their forms, documents and processes in order to obtain explicit consent in every instance. However, as part of discussions, reference to the word 'explicit' has been removed from the definition of consent and consent must now be 'unambiguous' and 'a freely-given, specific and informed indication of his or her wishes'. Again, this suggests a softening of approach, as consent need not be explicit in every instance. This offers little certainty, though, and is likely to mean that organisations will still need to review the policies, procedures and documents used to collect personal data in order to take a view on whether or not the consent obtained satisfies these requirements. As before, it is likely that clear guidance will be needed to help organisations determine exactly what this definition means. Right to be forgotten The 'right to be forgotten' has also been changed. This right enables individuals to request the erasure of their personal data in certain circumstances and requires organisations to take reasonable steps to ensure that third parties, to whom this information has been transferred, also comply with the obligation. At the outset, organisations were at a loss to understand: how they could comply with this in practice; how it could be monitored and enforced; and how far they would need to go to ensure they have complied with their obligations. While some amendments are being proposed in order to make this right more practical, many of these questions remain unanswered. Focused and pragmatic On reading the Regulation - and the surrounding debates and proposals - it is clear that many other aspects are still regarded as being problematic, including the conditions for processing (which some consider are unnecessarily narrow); subject access requests; and, of course, the threat of significantly increased levels of fines. So at this interim stage, it does appear that efforts are being made to make the Regulation more business- focused and pragmatic. We do not know whether or not the proposed compromise text will be implemented in full, or at all. Even if it is, many aspects of the Regulation and the compromise text remain unclear, and detailed guidance would be necessary to help organisations determine exactly what their obligations are. Contact us If you would like to discuss the proposed regulation and what your organisation should be doing in order to ensure that you are ready for reform when it arrives, please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk Fri, 20 Sep 2013 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ Proposed data protection reforms have been the subject of much discussion, debate and lobbying since the draft regulation was first issued in January 2012. Much concern has been expressed about many of the proposed provisions, in particular the right to be forgotten, compulsory breach notification, the requirement for explicit consent, and increased fines that could be issued under the new regime. With the passage of time, however, and as a result of that discussion, debate and lobbying, the Irish Presidency drafted a compromise text in anticipation of the negotiations between the European Parliament and the Council of the European Union. This text, if accepted, would introduce some significant changes. Here we look at whether or not there has been a softening of approach. If so, is that likely to make life a little easier for organisations that process personal data and are caught by the Regulation? Breach notification There is no doubt that, in certain respects, efforts are being made to make the Regulation more user-friendly. Let us take breach notification as an example. The original draft Regulation provided that it was compulsory to notify the supervisory authority of every breach promptly and, where feasible, within 24 hours. This was the subject of much debate for a number of reasons, particularly because: the timescale was regarded as being unreasonable and appeared to shift emphasis away from the need to contain and remedy the breach and mitigate the risk to individuals, towards giving priority to the administrative task of notifying the regulator the obligation would apply to every single breach regardless of how minor it was and/or the level of risk (if any) it presented to individuals such a wide obligation to notify the regulator was likely to strain resources and lead to notification fatigue With this in mind, it is pleasing to note that the compromise text seeks to amend this obligation, so that organisations would only be required to notify the regulator of a breach where the breach is 'likely to severely affect the rights and freedoms of data subjects' and, where feasible, within 72 hours. This demonstrates a clear intention to make the obligation less cumbersome and more manageable. However, whilst it does attempt to introduce some threshold in relation to when the obligation to notify arises, organisations would still need clear guidance from regulators in order to be able to understand when the obligation arises. This shift of emphasis will, of course, provide organisations with some comfort. Without further guidance, though, it is likely organisations would still be faced with a difficult decision as to whether or not they are required to notify each breach to the regulator. Consent Another issue that has been the subject of change in the compromise text is consent. Under the current regime, explicit consent is only necessary where sensitive personal data is being processed. Where an organisation wishes to process 'ordinary' personal data, they are required to obtain consent which is 'fully informed and freely given' to process that personal data. The introduction of a definition of consent into the Regulation has caused quite a stir, not least because it stated that for any consent to be valid it must be 'explicit'. This change would have had significant implications for organisations that collect and process personal data, and would have resulted in them having to change many of their forms, documents and processes in order to obtain explicit consent in every instance. However, as part of discussions, reference to the word 'explicit' has been removed from the definition of consent and consent must now be 'unambiguous' and 'a freely-given, specific and informed indication of his or her wishes'. Again, this suggests a softening of approach, as consent need not be explicit in every instance. This offers little certainty, though, and is likely to mean that organisations will still need to review the policies, procedures and documents used to collect personal data in order to take a view on whether or not the consent obtained satisfies these requirements. As before, it is likely that clear guidance will be needed to help organisations determine exactly what this definition means. Right to be forgotten The 'right to be forgotten' has also been changed. This right enables individuals to request the erasure of their personal data in certain circumstances and requires organisations to take reasonable steps to ensure that third parties, to whom this information has been transferred, also comply with the obligation. At the outset, organisations were at a loss to understand: how they could comply with this in practice; how it could be monitored and enforced; and how far they would need to go to ensure they have complied with their obligations. While some amendments are being proposed in order to make this right more practical, many of these questions remain unanswered. Focused and pragmatic On reading the Regulation - and the surrounding debates and proposals - it is clear that many other aspects are still regarded as being problematic, including the conditions for processing (which some consider are unnecessarily narrow); subject access requests; and, of course, the threat of significantly increased levels of fines. So at this interim stage, it does appear that efforts are being made to make the Regulation more business- focused and pragmatic. We do not know whether or not the proposed compromise text will be implemented in full, or at all. Even if it is, many aspects of the Regulation and the compromise text remain unclear, and detailed guidance would be necessary to help organisations determine exactly what their obligations are. Contact us If you would like to discuss the proposed regulation and what your organisation should be doing in order to ensure that you are ready for reform when it arrives, please contact Aisling Duffy on 03700865089 or aisling.duffy@shoosmiths.co.uk ]]>{C2D81105-B1B0-4308-BCF8-97EA47F7400D}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-protection-time-to-take-action-5978.aspxData protection: Time to take action On 25 January 2012, the European Commission decided that a substantial overhaul of data protection regulation is required and issued its proposals for change. The proposals are currently making their way through the legislative process in Brussels but, once approved, are expected to take effect at some point in 2014. What does this mean? If adopted in their current form, these reforms will introduce some very significant changes and will have a major impact on how organisations, which process personal data, must do so. The extent and nature of the changes being proposed mean that it would be very unwise to sit back and wait for the reforms to be implemented and then to take action. Instead, organisations, particularly those who rely on their ability to collect and process personal data or who process significant amounts of personal data, should be taking stock of their current practices, policies and procedures. Only then will they be able to 'hit the ground running' when the reforms finally arrive. The changes The proposals, as currently drafted, introduce many changes. In particular, they will: Make it compulsory for organisations to notify the Information Commissioner's Office (ICO) of every data security breach regardless of the nature or extent of the breach. In particular, organisations will be required to notify 'without undue delay' and where feasible with 24 hours. Require that every consent obtained in order to ensure that the processing of personal data is fair and lawful must be 'explicit'. Currently explicit consent is only required where the processing involves sensitive personal data (for example information relating to medical conditions, religious beliefs, criminal convictions etc). This change will therefore require organisations to rethink the processes and documentation they use to collect personal data. Mean that some obligations will apply directly to data processors. Currently the obligations in the Data Protection Act only apply to data controllers. This is therefore a significant change and will mean that many organisations who have enjoyed the relative comfort of not being caught by the Act, will be required to ensure that the way they collect and process personal data complies with the Act. Introduce a right to be forgotten. This will enable individuals to request that their details are completely removed from systems and, subject to certain exemptions, not processed further. In addition, it will require organisations to take reasonable steps to ensure that any third party to whom they have passed those details, also removes them from their systems. Introduce the power for the ICO to impose much larger fines for organisations which breach their obligations. Currently, the maximum fine that can be issued by the ICO is £500,000, and this is likely to increase to 2% of the global annual turnover of the organisation. So. .now is the time to take stock of current levels of compliance within your organisation and to come up with a realistic plan to ensure that your organisation is ready for the changes. Contact For further information on the proposed reforms, to discuss how they might affect your business or what you can do to ensure you do not get caught out, please contact Aisling Duffy on 03700 865089 or at aisling.duffy@shoosmiths.co.uk Wed, 04 Sep 2013 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ On 25 January 2012, the European Commission decided that a substantial overhaul of data protection regulation is required and issued its proposals for change. The proposals are currently making their way through the legislative process in Brussels but, once approved, are expected to take effect at some point in 2014. What does this mean? If adopted in their current form, these reforms will introduce some very significant changes and will have a major impact on how organisations, which process personal data, must do so. The extent and nature of the changes being proposed mean that it would be very unwise to sit back and wait for the reforms to be implemented and then to take action. Instead, organisations, particularly those who rely on their ability to collect and process personal data or who process significant amounts of personal data, should be taking stock of their current practices, policies and procedures. Only then will they be able to 'hit the ground running' when the reforms finally arrive. The changes The proposals, as currently drafted, introduce many changes. In particular, they will: Make it compulsory for organisations to notify the Information Commissioner's Office (ICO) of every data security breach regardless of the nature or extent of the breach. In particular, organisations will be required to notify 'without undue delay' and where feasible with 24 hours. Require that every consent obtained in order to ensure that the processing of personal data is fair and lawful must be 'explicit'. Currently explicit consent is only required where the processing involves sensitive personal data (for example information relating to medical conditions, religious beliefs, criminal convictions etc). This change will therefore require organisations to rethink the processes and documentation they use to collect personal data. Mean that some obligations will apply directly to data processors. Currently the obligations in the Data Protection Act only apply to data controllers. This is therefore a significant change and will mean that many organisations who have enjoyed the relative comfort of not being caught by the Act, will be required to ensure that the way they collect and process personal data complies with the Act. Introduce a right to be forgotten. This will enable individuals to request that their details are completely removed from systems and, subject to certain exemptions, not processed further. In addition, it will require organisations to take reasonable steps to ensure that any third party to whom they have passed those details, also removes them from their systems. Introduce the power for the ICO to impose much larger fines for organisations which breach their obligations. Currently, the maximum fine that can be issued by the ICO is £500,000, and this is likely to increase to 2% of the global annual turnover of the organisation. So. .now is the time to take stock of current levels of compliance within your organisation and to come up with a realistic plan to ensure that your organisation is ready for the changes. Contact For further information on the proposed reforms, to discuss how they might affect your business or what you can do to ensure you do not get caught out, please contact Aisling Duffy on 03700 865089 or at aisling.duffy@shoosmiths.co.uk ]]>{AF540FAF-90BA-4408-8BFA-0EE9456DFA5C}https://www.shoosmiths.co.uk/client-resources/legal-updates/new-guidance-leaves-crucial-data-protection-compliance-questions-unanswered-5895.aspxNew guidance leaves crucial data protection compliance questions unanswered One of the best known rights enshrined in the Data Protection Act 1998 is the right of individuals to make data subject access requests (DSARs) of any organisation they believe is holding - described by the Act as processing - their personal data. Compliance with data protection law in the UK is primarily the responsibility of the Information Commissioner, whose office has recently published a new Subject Access Code of Practice to help organisations comply with their obligations in respect of DSARs under the Act. DSARs: The basics An organisation on the receiving end of a DSAR has 40 days to respond to it and is obliged to provide the individual making the request with details about the information the organisation holds about them unless one of the limited exceptions set out in the Act applies. In most cases, an individual making a DSAR will be entitled to: be told whether any of their personal data is being processed receive a description of the personal data, and the reasons for which it is being processed receive a copy of the personal data receive details of the source of the data (where this is known) DSARs must be submitted in writing, but individuals do not have to (a) state that it is a data subject access request, (b) to refer to the Act or (c) to use a particular format to submit their request. Organisations do have the right to charge a fee for processing DSARs, but this is capped at £10. It is important to ensure that the identity of the individual making the request is confirmed before any information is supplied to them. DSARs made under the Act are commonplace. These are often received from customers of a business and are usually easily dealt with by following a set procedure, provided, of course, that the person receiving the DSAR recognises it as being one. The Information Commissioner's Code of Practice provides some useful steps to follow to ensure DSARs are handled properly and makes some recommendations to help organisations establish procedures and employee training. Modern guidance for a modern world? Although the Code of Practice comes at the end of a significant period of consultation, much of its content is drawn from pre-existing guidance which has simply been consolidated into one document. The guidance does address a few new issues however, notably what organisations should do when they receive DSARs via social media. It is more likely that a DSAR made via Facebook or Twitter (rather than submitted by email or letter) will be missed by an organisation, and it will be of some comfort to organisations with corporate social media accounts to know that the Information Commissioner recognises this. The Information Commissioner has indicated that it will use its discretion in deciding whether to take enforcement action over DSARs that have been complied with in circumstances where it considers that it has genuinely been inadvertently missed because they were made via unusual route. However, the Code of Practice makes clear that DSARs made via social media are perfectly valid and should be complied with. Organisations should therefore ensure that the possibility of receiving DSARs via social media is taken into account in their data protection policies and training. The unfairness of uncertainty: Too much discretion or not enough from the Information Commissioner? Whilst the Code of Practice will be a useful tool for anyone responsible for dealing with DSARs, it still leaves questions unanswered regarding the exercise of discretion by the Information Commissioner's Office and how that compares to the approach taken by the courts. Although most DSARs are fairly straightforward, when received from an employee or a party with whom the organisation is in dispute, they can be incredibly burdensome, time consuming and expensive. The Act does not require an individual to set out its reasons for making a DSAR, so there is nothing to prevent a current or former employee requesting details of all their personal data and, unless an exemption applies under the Act, the organisation would have to devote a huge number of man hours to collating, describing and providing the data to the individual in question. In addition, DSARs are becoming increasingly common during employment proceedings and as a way of circumventing the normal disclosure process in litigation. Receiving a contentious DSAR at a time when other proceedings are ongoing or being contemplated is often a major source of confusion for organisations. In particular, the approach taken by the Information Commissioner in this context does not align with that followed by the courts and the Code of Practice offers little comfort in this respect. In the event that an individual considers that an organisation has failed to comply with his DSAR, they have the option to seek redress from the courts or the Information Commissioner. Recent case law has indicated that where the court considers a DSAR is being used to obtain information that should properly come out in disclosure, the judge will refuse to order that the organisation complies with the DSAR. However, the Code of Practice makes clear that the Information Commissioner will not adopt the same approach to the courts. On the contrary, the Information Commissioner has indicated that where his office receives a complaint regarding non-compliance with a DSAR, he will not take into account the fact that the DSAR in question is being used to fuel separate litigation, even though he does have discretion as to whether to investigate a complaint. Concern over this disparity in the approaches of the courts and the Information Commissioner was raised by a number of organisations, including Shoosmiths, in their response to the consultation on the Code of Practice before it was finalised. Although the Information Commissioner notes the differences in approach between his office and the courts in the Code of Practice, disappointingly there is no effort made to address this issue. Organisations and their legal advisers faced with a DSAR in the midst of legal proceedings must therefore decide whether or not to comply, thus running the risk of a negative finding against them from the Information Commissioner if they refuse. What should I do? The publication of the Code of Practice is a good opportunity to check that existing policies and training are adequate to help you to respond to DSARs you may receive. If you receive a DSAR via social media, treat it the way you would one that was received by post or email, but be sure to verify the identity of the individual making the request before you send them any information. If you receive a DSAR from an individual with whom you are engaged in litigation, think carefully before refusing to comply and consider taking legal advice on the best course of action. If you do comply, make sure that you redact or withhold any information that is protected by legal privilege (created in contemplation of litigation or advice from lawyers). Click here to read the new Subject Access Code of Practice For further information, please contact jo.joyce@shoosmiths.co.uk or aisling.duffy@shoosmiths.co.uk Tue, 20 Aug 2013 00:00:00 +0100<![CDATA[Gary Assim ]]><![CDATA[ One of the best known rights enshrined in the Data Protection Act 1998 is the right of individuals to make data subject access requests (DSARs) of any organisation they believe is holding - described by the Act as processing - their personal data. Compliance with data protection law in the UK is primarily the responsibility of the Information Commissioner, whose office has recently published a new Subject Access Code of Practice to help organisations comply with their obligations in respect of DSARs under the Act. DSARs: The basics An organisation on the receiving end of a DSAR has 40 days to respond to it and is obliged to provide the individual making the request with details about the information the organisation holds about them unless one of the limited exceptions set out in the Act applies. In most cases, an individual making a DSAR will be entitled to: be told whether any of their personal data is being processed receive a description of the personal data, and the reasons for which it is being processed receive a copy of the personal data receive details of the source of the data (where this is known) DSARs must be submitted in writing, but individuals do not have to (a) state that it is a data subject access request, (b) to refer to the Act or (c) to use a particular format to submit their request. Organisations do have the right to charge a fee for processing DSARs, but this is capped at £10. It is important to ensure that the identity of the individual making the request is confirmed before any information is supplied to them. DSARs made under the Act are commonplace. These are often received from customers of a business and are usually easily dealt with by following a set procedure, provided, of course, that the person receiving the DSAR recognises it as being one. The Information Commissioner's Code of Practice provides some useful steps to follow to ensure DSARs are handled properly and makes some recommendations to help organisations establish procedures and employee training. Modern guidance for a modern world? Although the Code of Practice comes at the end of a significant period of consultation, much of its content is drawn from pre-existing guidance which has simply been consolidated into one document. The guidance does address a few new issues however, notably what organisations should do when they receive DSARs via social media. It is more likely that a DSAR made via Facebook or Twitter (rather than submitted by email or letter) will be missed by an organisation, and it will be of some comfort to organisations with corporate social media accounts to know that the Information Commissioner recognises this. The Information Commissioner has indicated that it will use its discretion in deciding whether to take enforcement action over DSARs that have been complied with in circumstances where it considers that it has genuinely been inadvertently missed because they were made via unusual route. However, the Code of Practice makes clear that DSARs made via social media are perfectly valid and should be complied with. Organisations should therefore ensure that the possibility of receiving DSARs via social media is taken into account in their data protection policies and training. The unfairness of uncertainty: Too much discretion or not enough from the Information Commissioner? Whilst the Code of Practice will be a useful tool for anyone responsible for dealing with DSARs, it still leaves questions unanswered regarding the exercise of discretion by the Information Commissioner's Office and how that compares to the approach taken by the courts. Although most DSARs are fairly straightforward, when received from an employee or a party with whom the organisation is in dispute, they can be incredibly burdensome, time consuming and expensive. The Act does not require an individual to set out its reasons for making a DSAR, so there is nothing to prevent a current or former employee requesting details of all their personal data and, unless an exemption applies under the Act, the organisation would have to devote a huge number of man hours to collating, describing and providing the data to the individual in question. In addition, DSARs are becoming increasingly common during employment proceedings and as a way of circumventing the normal disclosure process in litigation. Receiving a contentious DSAR at a time when other proceedings are ongoing or being contemplated is often a major source of confusion for organisations. In particular, the approach taken by the Information Commissioner in this context does not align with that followed by the courts and the Code of Practice offers little comfort in this respect. In the event that an individual considers that an organisation has failed to comply with his DSAR, they have the option to seek redress from the courts or the Information Commissioner. Recent case law has indicated that where the court considers a DSAR is being used to obtain information that should properly come out in disclosure, the judge will refuse to order that the organisation complies with the DSAR. However, the Code of Practice makes clear that the Information Commissioner will not adopt the same approach to the courts. On the contrary, the Information Commissioner has indicated that where his office receives a complaint regarding non-compliance with a DSAR, he will not take into account the fact that the DSAR in question is being used to fuel separate litigation, even though he does have discretion as to whether to investigate a complaint. Concern over this disparity in the approaches of the courts and the Information Commissioner was raised by a number of organisations, including Shoosmiths, in their response to the consultation on the Code of Practice before it was finalised. Although the Information Commissioner notes the differences in approach between his office and the courts in the Code of Practice, disappointingly there is no effort made to address this issue. Organisations and their legal advisers faced with a DSAR in the midst of legal proceedings must therefore decide whether or not to comply, thus running the risk of a negative finding against them from the Information Commissioner if they refuse. What should I do? The publication of the Code of Practice is a good opportunity to check that existing policies and training are adequate to help you to respond to DSARs you may receive. If you receive a DSAR via social media, treat it the way you would one that was received by post or email, but be sure to verify the identity of the individual making the request before you send them any information. If you receive a DSAR from an individual with whom you are engaged in litigation, think carefully before refusing to comply and consider taking legal advice on the best course of action. If you do comply, make sure that you redact or withhold any information that is protected by legal privilege (created in contemplation of litigation or advice from lawyers). Click here to read the new Subject Access Code of Practice For further information, please contact jo.joyce@shoosmiths.co.uk or aisling.duffy@shoosmiths.co.uk ]]>{C003E373-892B-4BCE-BED6-10639614B0AA}https://www.shoosmiths.co.uk/client-resources/legal-updates/google-auto-complete-function-5521.aspxGoogle auto complete function: Time to clean up its act? Have you ever been impressed with the ability of Google to read your mind when you type a phrase into the search box and it finishes off your sentence? This 'auto-complete' facility on the world's most used search engine has been subject to worldwide criticism over the last few years and most recently has found itself the subject of scrutiny in Germany's Federal Court, the Bundesgerichtshof. In an important decision for purveyors of online content, the German Court has ruled in a claim brought by 'anon' that in the event Google is notified of defamatory auto-completed suggestions, it must remove the defamatory automated algorithm connections. In this case, the unidentified man felt that he was subject to defamatory insinuations when 'Scientology' and 'fraud' were linked with his name on the search engine. Another high profile German claim has been brought by Bettina Wulff (wife of former German President, Christian Wulff) who has objected to the automated connection with prostitution and escort services when her name is typed into Google's search box. In Japan, Google was ordered to remove search terms which unjustifiably linked an individual to criminality and was ordered to pay 300,000 Yen (about £2,000) for pain and suffering caused. It's not just individuals who have raised concerns about this seemingly intuitive function. An insurance company in France raised objections to the automation of the word 'escroc' (which roughly translates as 'crook') when its company name is typed into the search engine. Google failed to react when notified of the illegal content and was fined around #50,000. Spain's Data Protection Authority has considered whether the auto-generated terms could be 'personal data' within the meaning of its national data protection legislation (and the relevant EU Directive). In this case, the word 'gay' automatically appeared after an individual's name. The individual found this offensive and defamatory. In concluding that the auto-complete function could amount to a breach of data protection, the Spanish Authority had to consider three questions: Can the auto-complete results be considered as personal data? Does Google process this personal data? Google the data controller of the processed personal data? The answer to all three questions was 'yes'. Google's defences to claims resulting from the auto-complete function have so far centred on the fact that the automated results are not manually inputted, but are generated by an automatic algorithm and are akin to user generated content. Google also raises arguments relating to the need to strike a balance between rights of privacy and reputation and that of freedom of expression. Google will, in Germany at least, now be expected to remove any defamatory automated word combinations once they have been notified of them. The usual 'notice and takedown' principles will apply requiring them to be reactive rather than pro-active upon notification. Time will tell whether the English courts and those of other European countries will follow suit.Fri, 31 May 2013 00:00:00 +0100<![CDATA[Anastasia Fowle ]]><![CDATA[ Have you ever been impressed with the ability of Google to read your mind when you type a phrase into the search box and it finishes off your sentence? This 'auto-complete' facility on the world's most used search engine has been subject to worldwide criticism over the last few years and most recently has found itself the subject of scrutiny in Germany's Federal Court, the Bundesgerichtshof. In an important decision for purveyors of online content, the German Court has ruled in a claim brought by 'anon' that in the event Google is notified of defamatory auto-completed suggestions, it must remove the defamatory automated algorithm connections. In this case, the unidentified man felt that he was subject to defamatory insinuations when 'Scientology' and 'fraud' were linked with his name on the search engine. Another high profile German claim has been brought by Bettina Wulff (wife of former German President, Christian Wulff) who has objected to the automated connection with prostitution and escort services when her name is typed into Google's search box. In Japan, Google was ordered to remove search terms which unjustifiably linked an individual to criminality and was ordered to pay 300,000 Yen (about £2,000) for pain and suffering caused. It's not just individuals who have raised concerns about this seemingly intuitive function. An insurance company in France raised objections to the automation of the word 'escroc' (which roughly translates as 'crook') when its company name is typed into the search engine. Google failed to react when notified of the illegal content and was fined around #50,000. Spain's Data Protection Authority has considered whether the auto-generated terms could be 'personal data' within the meaning of its national data protection legislation (and the relevant EU Directive). In this case, the word 'gay' automatically appeared after an individual's name. The individual found this offensive and defamatory. In concluding that the auto-complete function could amount to a breach of data protection, the Spanish Authority had to consider three questions: Can the auto-complete results be considered as personal data? Does Google process this personal data? Google the data controller of the processed personal data? The answer to all three questions was 'yes'. Google's defences to claims resulting from the auto-complete function have so far centred on the fact that the automated results are not manually inputted, but are generated by an automatic algorithm and are akin to user generated content. Google also raises arguments relating to the need to strike a balance between rights of privacy and reputation and that of freedom of expression. Google will, in Germany at least, now be expected to remove any defamatory automated word combinations once they have been notified of them. The usual 'notice and takedown' principles will apply requiring them to be reactive rather than pro-active upon notification. Time will tell whether the English courts and those of other European countries will follow suit.]]>{1AA2F939-C89E-4188-9324-6E6F30F7605F}https://www.shoosmiths.co.uk/client-resources/legal-updates/bring-your-own-device-ico-publishes-new-guidance-5418.aspxBring your own device: ICO publishes new guidance A survey by the Information Commissioner's Office (ICO) has revealed that 47% of all UK adults now use their personal smart phone, laptop or tablet computer for work purposes - known as 'bring your own device' (BYOD). However, fewer than three in 10 users had received guidance on how to use their devices for work. This raises concerns that users may not understand how to protect the personal information accessed and stored on these devices. It is crucial that organisations understand that whilst their employee owns the device, the organisation is responsible for ensuring that all processing of personal data under its control is compliant with the Data Protection Act 1998 (DPA). In particular, organisations must ensure that it is processed in accordance with the seventh data protection principle, which states: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." In its recent guidance, the ICO explains key considerations that organisations should be thinking about as this trend increases and provides recommendations on how to protect personal data held on employee owned devices and to ensure that it is processed in accordance with the DPA. The ICO identified a number of benefits of BYOD. For example, it may increase employee job satisfaction, morale, job efficiency and achieve cost savings. However, the ICO also acknowledged that BYOD must be controlled, and that organisations will need to invest in order to introduce appropriate controls. In some instances, organisations may find the cost of implementing these controls outweigh the savings envisaged, but the reputational damage and other implications that could flow from a serious data security breach could far exceed the cost of putting in place appropriate controls in the first place. The ICO's guidance sets out the following considerations that organisations need to assess if they are going to allow their employees to bring their own device: what type of data may be held on them where data may be stored how is it transferred potential for data leakage blurring of personal and business use the device's security capacities what to do if the person who owns the device leaves their employment how to deal with the loss, theft, failure and support of the device &nbsp; Top tips from the ICO's guidance for organisations who wish to permit BYOD: implement, maintain and enforce an acceptable use policy to provide guidance and accountability of behaviour; and involve all relevant departments (such as IT and HR) and the end users in development of your policy in order to ensure it is tailored to your business consider your need for a social media policy if BYOD leads (or is likely to lead) to an increased use of social media be clear about which types of personal data may be processed on personal devices and which may not use and enforce a strong password to secure devices and ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of loss or theft, and make sure users know exactly which data might be automatically or remotely deleted and under what circumstances use encryption effectively to store and transfer data ensure that the device automatically locks if inactive for a period of time maintain a clear separation between the personal data processed on behalf of the data controller and that processed for the device owner's own purposes; for example, by using different apps for business and personal use be careful when using public cloud-based sharing and public back-up services take care that monitoring technology remains proportionate and not excessive, especially during periods of personal use - do this by identifying the purpose(s) of any monitoring and ensuring that your employees are clear about the purpose(s) and are satisfied that it is justified by the real benefits that will be delivered when drafting a BYOD acceptable use policy, consider the guidance in the ICO's Employment Practices Code limit the choice of devices which can be used to those which you have assessed as providing an appropriate level of security for the personal data being processed provide guidance to users about the risks to downloading unreliable or unverified apps &nbsp; Additional considerations: before you allow BYOD you should consider whether it would contravene any of your existing agreements remember that the device is used by your employee for personal use and so any technical requirements and policies should be proportionate and justified public authorities subject to the Freedom of Information Act 2000 (FOIA) should consider their obligations and how they will deal with requests for information within the time schedule if multiple copies of data are stored across different devices remember that if you implement a policy, do not forget to monitor and enforce compliance consider what you will do to manage the data you are responsible for if your employee sells or returns the device you must be able to show that you have secured, controlled or deleted all personal data on a particular device if there is a security breach you may want to train employees in how to access Wi-Fi networks securely and how to de-active interfaces like Bluetooth, which may automatically connect to other devices or networks think about how you will deal with removable media (for example a USB stick) and/or storage media (for example a mini SD card), which can be easily removed and the loss of which may go unnoticed for some time &nbsp; For further information, please contact Aisling Duffy at aisling.duffy@shoosmiths.co.uk or on 03700 865089. Fri, 10 May 2013 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ A survey by the Information Commissioner's Office (ICO) has revealed that 47% of all UK adults now use their personal smart phone, laptop or tablet computer for work purposes - known as 'bring your own device' (BYOD). However, fewer than three in 10 users had received guidance on how to use their devices for work. This raises concerns that users may not understand how to protect the personal information accessed and stored on these devices. It is crucial that organisations understand that whilst their employee owns the device, the organisation is responsible for ensuring that all processing of personal data under its control is compliant with the Data Protection Act 1998 (DPA). In particular, organisations must ensure that it is processed in accordance with the seventh data protection principle, which states: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." In its recent guidance, the ICO explains key considerations that organisations should be thinking about as this trend increases and provides recommendations on how to protect personal data held on employee owned devices and to ensure that it is processed in accordance with the DPA. The ICO identified a number of benefits of BYOD. For example, it may increase employee job satisfaction, morale, job efficiency and achieve cost savings. However, the ICO also acknowledged that BYOD must be controlled, and that organisations will need to invest in order to introduce appropriate controls. In some instances, organisations may find the cost of implementing these controls outweigh the savings envisaged, but the reputational damage and other implications that could flow from a serious data security breach could far exceed the cost of putting in place appropriate controls in the first place. The ICO's guidance sets out the following considerations that organisations need to assess if they are going to allow their employees to bring their own device: what type of data may be held on them where data may be stored how is it transferred potential for data leakage blurring of personal and business use the device's security capacities what to do if the person who owns the device leaves their employment how to deal with the loss, theft, failure and support of the device &nbsp; Top tips from the ICO's guidance for organisations who wish to permit BYOD: implement, maintain and enforce an acceptable use policy to provide guidance and accountability of behaviour; and involve all relevant departments (such as IT and HR) and the end users in development of your policy in order to ensure it is tailored to your business consider your need for a social media policy if BYOD leads (or is likely to lead) to an increased use of social media be clear about which types of personal data may be processed on personal devices and which may not use and enforce a strong password to secure devices and ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of loss or theft, and make sure users know exactly which data might be automatically or remotely deleted and under what circumstances use encryption effectively to store and transfer data ensure that the device automatically locks if inactive for a period of time maintain a clear separation between the personal data processed on behalf of the data controller and that processed for the device owner's own purposes; for example, by using different apps for business and personal use be careful when using public cloud-based sharing and public back-up services take care that monitoring technology remains proportionate and not excessive, especially during periods of personal use - do this by identifying the purpose(s) of any monitoring and ensuring that your employees are clear about the purpose(s) and are satisfied that it is justified by the real benefits that will be delivered when drafting a BYOD acceptable use policy, consider the guidance in the ICO's Employment Practices Code limit the choice of devices which can be used to those which you have assessed as providing an appropriate level of security for the personal data being processed provide guidance to users about the risks to downloading unreliable or unverified apps &nbsp; Additional considerations: before you allow BYOD you should consider whether it would contravene any of your existing agreements remember that the device is used by your employee for personal use and so any technical requirements and policies should be proportionate and justified public authorities subject to the Freedom of Information Act 2000 (FOIA) should consider their obligations and how they will deal with requests for information within the time schedule if multiple copies of data are stored across different devices remember that if you implement a policy, do not forget to monitor and enforce compliance consider what you will do to manage the data you are responsible for if your employee sells or returns the device you must be able to show that you have secured, controlled or deleted all personal data on a particular device if there is a security breach you may want to train employees in how to access Wi-Fi networks securely and how to de-active interfaces like Bluetooth, which may automatically connect to other devices or networks think about how you will deal with removable media (for example a USB stick) and/or storage media (for example a mini SD card), which can be easily removed and the loss of which may go unnoticed for some time &nbsp; For further information, please contact Aisling Duffy at aisling.duffy@shoosmiths.co.uk or on 03700 865089. ]]>{47DCD552-EE0D-41F9-870A-2ADF24013B11}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-protection-authorities-investigations-into-google-5328.aspxData protection authorities announce investigations into Google&#39;s privacy policy On 2 April 2013, data protection authorities across the EU - including the Information Commissioner's Office (ICO) - announced that they are now investigating whether Google's privacy policy complies with national data protection laws. The investigation was prompted by allegations that Google failed to implement recommendations issued to it by the EU Working Party in October 2012. Background On 1 March 2012, Google updated its terms of service and consolidated more than 60 of its privacy policies into a single policy for almost all its services. This enabled Google to aggregate users' personal data from across their accounts and services, including Gmail, Google Play, Google+, internet searching, maps, YouTube, location data and photo sharing. As a result, the EU's Article 29 Working Party asked the French data protection regulator, the CNiL, to lead an investigation into Google's new privacy policy. The CNiL was asked to examine whether Google's privacy policy complies with the requirements set out in the Data Protection Directive. What were the Working Party's findings and recommendations? In October 2012, the CNiL reported that Google's privacy policy did not fully meet the requirements of the Data Protection Directive. A letter was sent to Google outlining the recommendations of the EU data protection authorities, which was individually signed by 27 European data protection authorities. The CNiL reported that Google had failed to provide clear and comprehensive information about the categories of data that each Google service processes, the extent of Google's processing activities and the purposes for which each service processes personal data. It also reported that users did not always have sufficient control in deciding which of Google's services collected and used data about them. The CNiL expressed concern that Google could potentially collect and use excessive amounts of data, as any online activity related to Google (use of its services, Android system or consultation of third party websites using Google's services) could be gathered and combined by Google. The report also highlighted that the data collected was used for a wide range of different purposes (including product development, security and advertising), but that the policy did not distinguish between different types of processing. The CNiL subsequently issued various recommendations to Google, which included suggestions to: provide clearer information to users about the data collected and the purposes for which each Google service processes personal data offer clear 'opt out' mechanisms, so that users are free to opt out of having their data collected for particular services limit the amount of data Google stores about users and the potential uses of the data, and incorporate mechanisms to distinguish between different uses of the data The ICO investigates The CNiL gave Google four months to comply with its recommendations and to upgrade its privacy policy practices. This time period has now expired, and it is reported that Google has not implemented any significant compliance measures. The ICO has now announced that it has launched an investigation into whether Google's privacy policy is compliant with the Data Protection Act 1998. The ICO will be joined by the data protection authorities of France, Germany, Italy, the Netherlands and Spain, which have also announced they will investigate the issue to determine whether Google's privacy policy complies with their respective national data protection legislation. In a statement, Google has said that its privacy policy 'respects European law'. What is the potential impact of these investigations? The investigations into Google highlight the importance of having a clear and well drafted privacy policy. Privacy policies should be tailored so that they effectively inform individuals what personal data is collected and how it is stored and processed by that organisation. Organisations should consider whether or not their privacy policy can be clearly understood by users, and whether or not users are given sufficient choices about how their personal data is processed. Google is undoubtedly a big player in the online environment, so these investigations are likely to be of great interest to other online providers. Mon, 29 Apr 2013 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ On 2 April 2013, data protection authorities across the EU - including the Information Commissioner's Office (ICO) - announced that they are now investigating whether Google's privacy policy complies with national data protection laws. The investigation was prompted by allegations that Google failed to implement recommendations issued to it by the EU Working Party in October 2012. Background On 1 March 2012, Google updated its terms of service and consolidated more than 60 of its privacy policies into a single policy for almost all its services. This enabled Google to aggregate users' personal data from across their accounts and services, including Gmail, Google Play, Google+, internet searching, maps, YouTube, location data and photo sharing. As a result, the EU's Article 29 Working Party asked the French data protection regulator, the CNiL, to lead an investigation into Google's new privacy policy. The CNiL was asked to examine whether Google's privacy policy complies with the requirements set out in the Data Protection Directive. What were the Working Party's findings and recommendations? In October 2012, the CNiL reported that Google's privacy policy did not fully meet the requirements of the Data Protection Directive. A letter was sent to Google outlining the recommendations of the EU data protection authorities, which was individually signed by 27 European data protection authorities. The CNiL reported that Google had failed to provide clear and comprehensive information about the categories of data that each Google service processes, the extent of Google's processing activities and the purposes for which each service processes personal data. It also reported that users did not always have sufficient control in deciding which of Google's services collected and used data about them. The CNiL expressed concern that Google could potentially collect and use excessive amounts of data, as any online activity related to Google (use of its services, Android system or consultation of third party websites using Google's services) could be gathered and combined by Google. The report also highlighted that the data collected was used for a wide range of different purposes (including product development, security and advertising), but that the policy did not distinguish between different types of processing. The CNiL subsequently issued various recommendations to Google, which included suggestions to: provide clearer information to users about the data collected and the purposes for which each Google service processes personal data offer clear 'opt out' mechanisms, so that users are free to opt out of having their data collected for particular services limit the amount of data Google stores about users and the potential uses of the data, and incorporate mechanisms to distinguish between different uses of the data The ICO investigates The CNiL gave Google four months to comply with its recommendations and to upgrade its privacy policy practices. This time period has now expired, and it is reported that Google has not implemented any significant compliance measures. The ICO has now announced that it has launched an investigation into whether Google's privacy policy is compliant with the Data Protection Act 1998. The ICO will be joined by the data protection authorities of France, Germany, Italy, the Netherlands and Spain, which have also announced they will investigate the issue to determine whether Google's privacy policy complies with their respective national data protection legislation. In a statement, Google has said that its privacy policy 'respects European law'. What is the potential impact of these investigations? The investigations into Google highlight the importance of having a clear and well drafted privacy policy. Privacy policies should be tailored so that they effectively inform individuals what personal data is collected and how it is stored and processed by that organisation. Organisations should consider whether or not their privacy policy can be clearly understood by users, and whether or not users are given sufficient choices about how their personal data is processed. Google is undoubtedly a big player in the online environment, so these investigations are likely to be of great interest to other online providers. ]]>{7297699B-1C4F-4713-8B50-5BAD8B3F1481}https://www.shoosmiths.co.uk/client-resources/legal-updates/loss-of-disciplinary-data-leads-to-large-fine-5008.aspxLoss of disciplinary data leads to large fine The Nursing and Midwifery Council has been fined £150,000 by the Information Commissioner's Office for losing three DVDs which contained evidence relating to a disciplinary investigation. Background Since 6 April 2010 the Information Commissioner's Office (ICO) has had the power to issue monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 (DPA). The ICO only issues a monetary penalty in the most serious cases, but it is using its relatively new power with increasing frequency. The law All organisations which handle personal data must do so lawfully, in accordance with the eight data protection principles set out in the DPA. These include taking: "Appropriate technical and organisational measures. against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." (Principle 7) What amounts to an "appropriate" measure depends on various factors including the cost of implementing any measures, the harm that may result from any loss etc. of the relevant data and the nature of the information to be protected. The case The Nursing and Midwifery Council (NMC) is the regulatory body for nurses and midwives in the UK. Part of its remit is to carry out fitness to practise investigations when allegations of misconduct are made against these professionals. Three DVDs containing witness interviews which contained confidential and highly sensitive information about alleged offences were lost while being couriered to the location at which a fitness to practise hearing was to be held. The data on the discs was not encrypted. Despite extensive searches the DVDs were never found. However, there was no indication that the data had been accessed or disseminated further. The decision The ICO was critical of the fact that the NMC had failed to take any measures, such as encryption, against accidental loss given the harm that may have resulted from such loss and the nature of the data. In particular, two of the affected individuals in this case were vulnerable children and there was potential for substantial distress to be caused if the sensitive personal data was disclosed to a recipient with no right to see it. In the NMC's favour was the fact that it had voluntarily reported the breach to the ICO and co-operated fully, had carried out a thorough investigation, had made extensive searches to locate the missing DVDs and had subsequently taken remedial action internally. Despite this, the ICO imposed a penalty of £150,000, to be reduced by 20 per cent if paid within one month. Comment Employers and professional organisations need to ensure they are complying with the DPA and in particular the seventh data protection principle in respect of information relating to disciplinary investigations and hearings. In the cases involving serious allegations the relevant data is likely to be highly sensitive so the risk of harm from accidental loss or disclosure could be high. Whenever data is being sent off site protective measures should be considered. The Commissioner has published guidance on the use of portable devices and removable media. In its view such devices should be encrypted and failure to do so is likely to lead to enforcement action if equipment and data are subsequently lost or misused. Taking the relatively cheap and simple step of encrypting data could protect organisations against incurring similar fines. Source ICO monetary penalty notices How can we help? If you would like to discuss what you need to do in order to comply with the Act, please contact louise.randall@shoosmiths.co.uk or a member of our data protection team. Tue, 12 Mar 2013 00:00:00 Z<![CDATA[Stuart Lawrenson ]]><![CDATA[ The Nursing and Midwifery Council has been fined £150,000 by the Information Commissioner's Office for losing three DVDs which contained evidence relating to a disciplinary investigation. Background Since 6 April 2010 the Information Commissioner's Office (ICO) has had the power to issue monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 (DPA). The ICO only issues a monetary penalty in the most serious cases, but it is using its relatively new power with increasing frequency. The law All organisations which handle personal data must do so lawfully, in accordance with the eight data protection principles set out in the DPA. These include taking: "Appropriate technical and organisational measures. against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." (Principle 7) What amounts to an "appropriate" measure depends on various factors including the cost of implementing any measures, the harm that may result from any loss etc. of the relevant data and the nature of the information to be protected. The case The Nursing and Midwifery Council (NMC) is the regulatory body for nurses and midwives in the UK. Part of its remit is to carry out fitness to practise investigations when allegations of misconduct are made against these professionals. Three DVDs containing witness interviews which contained confidential and highly sensitive information about alleged offences were lost while being couriered to the location at which a fitness to practise hearing was to be held. The data on the discs was not encrypted. Despite extensive searches the DVDs were never found. However, there was no indication that the data had been accessed or disseminated further. The decision The ICO was critical of the fact that the NMC had failed to take any measures, such as encryption, against accidental loss given the harm that may have resulted from such loss and the nature of the data. In particular, two of the affected individuals in this case were vulnerable children and there was potential for substantial distress to be caused if the sensitive personal data was disclosed to a recipient with no right to see it. In the NMC's favour was the fact that it had voluntarily reported the breach to the ICO and co-operated fully, had carried out a thorough investigation, had made extensive searches to locate the missing DVDs and had subsequently taken remedial action internally. Despite this, the ICO imposed a penalty of £150,000, to be reduced by 20 per cent if paid within one month. Comment Employers and professional organisations need to ensure they are complying with the DPA and in particular the seventh data protection principle in respect of information relating to disciplinary investigations and hearings. In the cases involving serious allegations the relevant data is likely to be highly sensitive so the risk of harm from accidental loss or disclosure could be high. Whenever data is being sent off site protective measures should be considered. The Commissioner has published guidance on the use of portable devices and removable media. In its view such devices should be encrypted and failure to do so is likely to lead to enforcement action if equipment and data are subsequently lost or misused. Taking the relatively cheap and simple step of encrypting data could protect organisations against incurring similar fines. Source ICO monetary penalty notices How can we help? If you would like to discuss what you need to do in order to comply with the Act, please contact louise.randall@shoosmiths.co.uk or a member of our data protection team. ]]>{3FCCD12E-36D5-4147-AFF9-C2672E3C42A8}https://www.shoosmiths.co.uk/client-resources/legal-updates/online-behavioural-advertising-the-new-rules-4708.aspxOnline behavioural advertising: The new rules From 4 February 2013, organisations using targeting advertising online - known as 'online behavioural advertising' (OBA) - will be required to tell web users about their use of OBA and allow them to opt-out of having their data collected and used for OBA. Here, we consider how OBA is currently used, what the new rules will require and their impact on the advertising industry and consumers. Online behavioural advertising: What is it? The Committee of Advertising Practice (CAP) defines OBA as a developed form of targeted advertising carried out by 'third parties'. The term 'third parties' refers to organisations which do not own or operate the website on which advertising is carried out, but which work in conjunction with the website operator to collect data on users' web viewing behaviour. These third parties collect data from a particular user's computer, analyse it, and use it to deliver customised advertising to that user. OBA enables the third party to identify a user's particular interest or preference from the data collected and to then place a cookie on that user's computer to determine what advertising the user will receive. Preferences may be inferred, for example, based on pages recently visited, advertisements clicked on, or products purchased or viewed online. These are often categorised to target multiple web users with similar interests (albeit anonymously). The new rules CAP recently announced that from 4 February 2013, new rules will govern how organisations use OBA and will be enforced by the Advertising Standards Authority (ASA). Essentially, the rules require 'third parties' to: Set out a clear and comprehensive notice on the third party's own website to state that they collect and use web viewing behaviour data for the purposes of OBA, and provide users with a mechanism on their own website to opt-out of having their data collected and used for the purposes of OBA. Set out a clear and comprehensive notice on or around the display advertisement on the website where the OBA appears. The notice must state that they collect and use web viewing behaviour data for the purposes of OBA. The third party must also provide users with a link on or around the display advertisement enabling users to opt-out of having their data collected and used for the purposes of OBA. Not create 'interest segments' specifically designed for the purpose of targeting OBA to children aged 12 or under. CAP has issued a Help Note explaining that 'interest segments' are often created to categorise individuals based on data collected from a range of websites. If the organisation uses technology to collect and use information about 'all or substantially all' of the websites visited by a web user to deliver OBA on their computer, they must obtain 'explicit consent' from that web user before using OBA. This rule relates primarily to OBA taking place at internet service provider (ISP) level, where the ISP collects information from websites visited by a particular computer or browser to deliver advertising. The term 'explicit consent' indicates that the third party will need to get a user's express or 'opt-in' consent, confirming that the user agrees to their data being collected and used for the purposes of OBA. The first two rules above require notices and opt-out mechanisms to be used on the third party's own site and the website operator's site. These can be in the form of an icon, symbol or text, but should be of an appropriate size and colour, making the notice easy to see and read. Notices should not be obscured by background text or the advertisement itself. The opt-out mechanism used in conjunction with a notice must be 'effective'. If the effectiveness of an opt-out is limited by any means (for example if deleting cookies may mean that the opt-out will not operate) the third party must explain the limitations on its effectiveness in the opt-out mechanism. Many third parties currently provide consumers with a link to the site www.youronlinechoices.eu/, enabling users to opt-out of one, many, or all third parties using OBA on a pan-European basis. The new rules will not apply to contextual advertising (i.e. advertising based on items a user is currently viewing on the website, provided by businesses such as Amazon), web analytics (for example the web analytics service provided by Google), ad reporting or ad delivery, the collection and use of information for OBA by website operators on their own websites, or the use of OBA in rich media, in stream videos online or on mobile devices. It is, however, anticipated that the rules will be applied to OBA on mobile devices in due course. The rules are a response to developing technologies and new marketing trends, and have been introduced in line with the provisions of the Data Protection Act 1998 and Privacy and Electronic Communications Regulations 2003 (as amended). Similar rules will be incorporated into marketing and advertising codes across Europe. What impact will the new rules have? The new rules aim to ensure that OBA can be used to benefit the advertising industry and consumers alike, and will have an impact on third parties, website owners and operators and consumers. Third parties will be required to comply with the rules and set out appropriate OBA notices and opt-out mechanisms to users in accordance with the rules. Website owners and operators will also need to be aware of the new rules if third parties operate OBA on their websites on their behalf. If the ASA cannot identify the relevant third party, the advertiser (i.e. the website owner or operator) must co-operate with the ASA to identify the appropriate third party. It is hoped that consumers whose online web viewing data is used for the purposes of OBA will benefit from the new rules, providing them with more transparency and choice. The aim is that the new rules will result in increased consumer trust, because users will understand how data on their web browsing behaviour is collected and used. However, some aspects of the new rules may be difficult to put into practice, as it is not entirely clear from the rules or CAP guidance what exactly is required. For example, whilst the notice and opt-out requirements may not be too difficult to incorporate into the OBA mechanism, the rule prohibiting the creation of interest segments for children aged 12 and under is less clear. Does this require third parties to un-write software they use to ensure that the OBA will not operate in relation to goods which children aged 12 and under may be interested in? How will this work in practice? The new rules are yet another example of the law attempting to keep up with the rapid pace of technological change. It will be interesting to see what impact the rules will have in practice, and whether their application will be further extended, as is already anticipated, in relation to OBA used on mobile devices. Wed, 23 Jan 2013 00:00:00 Z<![CDATA[Nicky Jenkins ]]><![CDATA[ From 4 February 2013, organisations using targeting advertising online - known as 'online behavioural advertising' (OBA) - will be required to tell web users about their use of OBA and allow them to opt-out of having their data collected and used for OBA. Here, we consider how OBA is currently used, what the new rules will require and their impact on the advertising industry and consumers. Online behavioural advertising: What is it? The Committee of Advertising Practice (CAP) defines OBA as a developed form of targeted advertising carried out by 'third parties'. The term 'third parties' refers to organisations which do not own or operate the website on which advertising is carried out, but which work in conjunction with the website operator to collect data on users' web viewing behaviour. These third parties collect data from a particular user's computer, analyse it, and use it to deliver customised advertising to that user. OBA enables the third party to identify a user's particular interest or preference from the data collected and to then place a cookie on that user's computer to determine what advertising the user will receive. Preferences may be inferred, for example, based on pages recently visited, advertisements clicked on, or products purchased or viewed online. These are often categorised to target multiple web users with similar interests (albeit anonymously). The new rules CAP recently announced that from 4 February 2013, new rules will govern how organisations use OBA and will be enforced by the Advertising Standards Authority (ASA). Essentially, the rules require 'third parties' to: Set out a clear and comprehensive notice on the third party's own website to state that they collect and use web viewing behaviour data for the purposes of OBA, and provide users with a mechanism on their own website to opt-out of having their data collected and used for the purposes of OBA. Set out a clear and comprehensive notice on or around the display advertisement on the website where the OBA appears. The notice must state that they collect and use web viewing behaviour data for the purposes of OBA. The third party must also provide users with a link on or around the display advertisement enabling users to opt-out of having their data collected and used for the purposes of OBA. Not create 'interest segments' specifically designed for the purpose of targeting OBA to children aged 12 or under. CAP has issued a Help Note explaining that 'interest segments' are often created to categorise individuals based on data collected from a range of websites. If the organisation uses technology to collect and use information about 'all or substantially all' of the websites visited by a web user to deliver OBA on their computer, they must obtain 'explicit consent' from that web user before using OBA. This rule relates primarily to OBA taking place at internet service provider (ISP) level, where the ISP collects information from websites visited by a particular computer or browser to deliver advertising. The term 'explicit consent' indicates that the third party will need to get a user's express or 'opt-in' consent, confirming that the user agrees to their data being collected and used for the purposes of OBA. The first two rules above require notices and opt-out mechanisms to be used on the third party's own site and the website operator's site. These can be in the form of an icon, symbol or text, but should be of an appropriate size and colour, making the notice easy to see and read. Notices should not be obscured by background text or the advertisement itself. The opt-out mechanism used in conjunction with a notice must be 'effective'. If the effectiveness of an opt-out is limited by any means (for example if deleting cookies may mean that the opt-out will not operate) the third party must explain the limitations on its effectiveness in the opt-out mechanism. Many third parties currently provide consumers with a link to the site www.youronlinechoices.eu/, enabling users to opt-out of one, many, or all third parties using OBA on a pan-European basis. The new rules will not apply to contextual advertising (i.e. advertising based on items a user is currently viewing on the website, provided by businesses such as Amazon), web analytics (for example the web analytics service provided by Google), ad reporting or ad delivery, the collection and use of information for OBA by website operators on their own websites, or the use of OBA in rich media, in stream videos online or on mobile devices. It is, however, anticipated that the rules will be applied to OBA on mobile devices in due course. The rules are a response to developing technologies and new marketing trends, and have been introduced in line with the provisions of the Data Protection Act 1998 and Privacy and Electronic Communications Regulations 2003 (as amended). Similar rules will be incorporated into marketing and advertising codes across Europe. What impact will the new rules have? The new rules aim to ensure that OBA can be used to benefit the advertising industry and consumers alike, and will have an impact on third parties, website owners and operators and consumers. Third parties will be required to comply with the rules and set out appropriate OBA notices and opt-out mechanisms to users in accordance with the rules. Website owners and operators will also need to be aware of the new rules if third parties operate OBA on their websites on their behalf. If the ASA cannot identify the relevant third party, the advertiser (i.e. the website owner or operator) must co-operate with the ASA to identify the appropriate third party. It is hoped that consumers whose online web viewing data is used for the purposes of OBA will benefit from the new rules, providing them with more transparency and choice. The aim is that the new rules will result in increased consumer trust, because users will understand how data on their web browsing behaviour is collected and used. However, some aspects of the new rules may be difficult to put into practice, as it is not entirely clear from the rules or CAP guidance what exactly is required. For example, whilst the notice and opt-out requirements may not be too difficult to incorporate into the OBA mechanism, the rule prohibiting the creation of interest segments for children aged 12 and under is less clear. Does this require third parties to un-write software they use to ensure that the OBA will not operate in relation to goods which children aged 12 and under may be interested in? How will this work in practice? The new rules are yet another example of the law attempting to keep up with the rapid pace of technological change. It will be interesting to see what impact the rules will have in practice, and whether their application will be further extended, as is already anticipated, in relation to OBA used on mobile devices. ]]>{7891BBB8-7869-4C5D-97DB-913F062B501E}https://www.shoosmiths.co.uk/client-resources/legal-updates/construction-blacklisting-ico-under-scrutiny-4712.aspxConstruction blacklisting: ICO under scrutiny The Information Commissioner's handling of the blacklisting of construction workers scandal is under scrutiny in Parliament. Background Over three years ago the Information Commissioners Office (ICO) investigated and exposed the blacklisting of over 3,000 construction workers who had been suspected of being involved in trade union activities. As a result of the investigation the Government introduced the Employment Relations Act 1999 (Blacklists) Regulations 2010. Last year, Liberty asked the ICO to reopen the case following a report published by the trade union, the GMB, to establish the extent to which each company was involved. There was discussion that if the ICO took this step the consequences could be far more serious for the companies involved than in the first investigation because the ICO now has greater powers of enforcement, including imposing monetary penalties of up to £500,000. However, the ICO subsequently said that it saw "no grounds to justify reopening its investigation". In August 2012, David Smith, the Deputy Information Commissioner, made it clear that the the ICO had exercised fully the powers that it had at its disposal at that time. Whilst acknowledging that the ICO now has increased powers he said that the monetary penalties "can only be issued where a breach of the Data Protection Act has taken place after April 2010. As the ICO has not received any reliable evidence that unlawful processing of personal data continued after April 2010 the stronger penalties do not apply". Out of date data The ICO also rejected the GMB's calls for it to make contact with those on the blacklist: the data included in the list is said to have been old and, in many cases, incomplete: certainly the ICO did not want to be in the position of sending sensitive personal data to the wrong addresses! Nevertheless GMB members were identified from the list and contacted by the GMB after the ICO allowed the GMB's legal team to view the data. Latest developments However, the issue is now to be raised in a House of Commons debate, as a call is to be made for a full inquiry into the matter to establish claims of blacklisting of workers involved in both the Olympics and the Crossrail project. The key point is expected to be that many of those concerned are still no longer aware that they are on the list. It is expected that MP's will agree that this should be addressed but it remains to be seen what actions will be taken as a result of the debate and whether a full inquiry will commence. Comment It will be interesting to see how the ICO will react to such a potential scrutiny of its regulation and enforcement actions. All employers should be aware that data held about its employees must be processed in accordance with the Data Protection Act 1998: information about trade union membership is sensitive personal data and so subject to even greater protections than other personal data. Employers should never make recruitment decisions on the basis of an applicant's trade union membership. Following the European Commission's review of European data protection legislation the ICO's powers are likely to grow further meaning that compliance with data protection law across both the UK and Europe will become a key issue for organisations. Sources: BBC News: 'Call for construction industry 'blacklist' inquiry' ICO blog: 'Prosecution of construction blacklist used strongest powers we had' Wed, 23 Jan 2013 00:00:00 Z<![CDATA[Stuart Lawrenson ]]><![CDATA[ The Information Commissioner's handling of the blacklisting of construction workers scandal is under scrutiny in Parliament. Background Over three years ago the Information Commissioners Office (ICO) investigated and exposed the blacklisting of over 3,000 construction workers who had been suspected of being involved in trade union activities. As a result of the investigation the Government introduced the Employment Relations Act 1999 (Blacklists) Regulations 2010. Last year, Liberty asked the ICO to reopen the case following a report published by the trade union, the GMB, to establish the extent to which each company was involved. There was discussion that if the ICO took this step the consequences could be far more serious for the companies involved than in the first investigation because the ICO now has greater powers of enforcement, including imposing monetary penalties of up to £500,000. However, the ICO subsequently said that it saw "no grounds to justify reopening its investigation". In August 2012, David Smith, the Deputy Information Commissioner, made it clear that the the ICO had exercised fully the powers that it had at its disposal at that time. Whilst acknowledging that the ICO now has increased powers he said that the monetary penalties "can only be issued where a breach of the Data Protection Act has taken place after April 2010. As the ICO has not received any reliable evidence that unlawful processing of personal data continued after April 2010 the stronger penalties do not apply". Out of date data The ICO also rejected the GMB's calls for it to make contact with those on the blacklist: the data included in the list is said to have been old and, in many cases, incomplete: certainly the ICO did not want to be in the position of sending sensitive personal data to the wrong addresses! Nevertheless GMB members were identified from the list and contacted by the GMB after the ICO allowed the GMB's legal team to view the data. Latest developments However, the issue is now to be raised in a House of Commons debate, as a call is to be made for a full inquiry into the matter to establish claims of blacklisting of workers involved in both the Olympics and the Crossrail project. The key point is expected to be that many of those concerned are still no longer aware that they are on the list. It is expected that MP's will agree that this should be addressed but it remains to be seen what actions will be taken as a result of the debate and whether a full inquiry will commence. Comment It will be interesting to see how the ICO will react to such a potential scrutiny of its regulation and enforcement actions. All employers should be aware that data held about its employees must be processed in accordance with the Data Protection Act 1998: information about trade union membership is sensitive personal data and so subject to even greater protections than other personal data. Employers should never make recruitment decisions on the basis of an applicant's trade union membership. Following the European Commission's review of European data protection legislation the ICO's powers are likely to grow further meaning that compliance with data protection law across both the UK and Europe will become a key issue for organisations. Sources: BBC News: 'Call for construction industry 'blacklist' inquiry' ICO blog: 'Prosecution of construction blacklist used strongest powers we had' ]]>{450E28F3-27A8-4C17-9AA3-7157D3C47229}https://www.shoosmiths.co.uk/client-resources/legal-updates/are-you-breaching-ongoing-duty-care-data-protection-act-4625.aspxAre you breaching your ongoing duty of care under the Data Protection Act? &#163;325,000 - the largest Civil Monetary Penalty issued to date by the Information Commissioner's Officer (ICO) for breach of the Data Protection Act (DPA). It remains to be seen whether the UK Border Agency (UKBA) will also be fined in respect of the text messages it sent to individuals and which are allegedly in breach of the DPA. The UKBA is not alone; a 2012 case shows just how easy it can be to fall short of the obligations imposed by the DPA In Smeaton v Equifax Plc at the High Court, it was found that Equifax - one of the UK's three leading principal credit rating agencies - had breached its duty of care owed to Keith Smeaton under the DPA. The claimant was a severely dyslexic 63-year-old who complained that between March 2001 and July 2006, Equifax recorded on his credit file that he was subject to a bankruptcy order. This was incorrect. The bankruptcy order was subject to a stay between March 2001 and May 2002 due to an appeal made by Mr Smeaton. However, the inaccurate entry remained on his credit file until 2006. At the time the entry was recorded, Mr Smeaton was subject to the bankruptcy order and there was no way Equifax could know it had been rescinded. In these highly unusual circumstances, it would seem unfair to rule against Equifax that the ongoing duty of care to the data subject - Mr Smeaton - had been breached. It was alleged, however, that Equifax had breached principle 4 of the DPA, which states that 'personal data shall be accurate and, where necessary, kept up to date'. So it is no longer enough to say that, as the information was obtained from the data subject or a third party, that all has been done that could reasonably be done to ensure accuracy of the data. Data controllers are now required to take active steps to ensure data accuracy. It would be unreasonable to update the data subject's personal information if the data was held solely for the purposes of a historical record, but as Equifax is a credit reference agency, it was highly probable that the data recoded was to be accessed for purposes of current activities, and arguably there is a higher threshold to comply with the duty of care in these situations, because the data should accurately reflect the individual's circumstances. In this case, two credit applications made by Mr Sematon were declined as a direct result of the inaccurate data recorded on his credit file, triggering a number of events that ultimately left him homeless. Damages have been claimed but have not yet been quantified. Between August and November 2012, fines imposed by the ICO exceeded £900,000. It is anticipated that Equifax will be required to pay a substantial sum to Mr Smeaton as a consequence of its breach and to put Smeaton back into the position he was in prior to the breach. So keep on top of your record keeping to avoid being hit by a sizeable compensation claim. Tue, 15 Jan 2013 00:00:00 Z<![CDATA[Jenny Ogden ]]><![CDATA[ &#163;325,000 - the largest Civil Monetary Penalty issued to date by the Information Commissioner's Officer (ICO) for breach of the Data Protection Act (DPA). It remains to be seen whether the UK Border Agency (UKBA) will also be fined in respect of the text messages it sent to individuals and which are allegedly in breach of the DPA. The UKBA is not alone; a 2012 case shows just how easy it can be to fall short of the obligations imposed by the DPA In Smeaton v Equifax Plc at the High Court, it was found that Equifax - one of the UK's three leading principal credit rating agencies - had breached its duty of care owed to Keith Smeaton under the DPA. The claimant was a severely dyslexic 63-year-old who complained that between March 2001 and July 2006, Equifax recorded on his credit file that he was subject to a bankruptcy order. This was incorrect. The bankruptcy order was subject to a stay between March 2001 and May 2002 due to an appeal made by Mr Smeaton. However, the inaccurate entry remained on his credit file until 2006. At the time the entry was recorded, Mr Smeaton was subject to the bankruptcy order and there was no way Equifax could know it had been rescinded. In these highly unusual circumstances, it would seem unfair to rule against Equifax that the ongoing duty of care to the data subject - Mr Smeaton - had been breached. It was alleged, however, that Equifax had breached principle 4 of the DPA, which states that 'personal data shall be accurate and, where necessary, kept up to date'. So it is no longer enough to say that, as the information was obtained from the data subject or a third party, that all has been done that could reasonably be done to ensure accuracy of the data. Data controllers are now required to take active steps to ensure data accuracy. It would be unreasonable to update the data subject's personal information if the data was held solely for the purposes of a historical record, but as Equifax is a credit reference agency, it was highly probable that the data recoded was to be accessed for purposes of current activities, and arguably there is a higher threshold to comply with the duty of care in these situations, because the data should accurately reflect the individual's circumstances. In this case, two credit applications made by Mr Sematon were declined as a direct result of the inaccurate data recorded on his credit file, triggering a number of events that ultimately left him homeless. Damages have been claimed but have not yet been quantified. Between August and November 2012, fines imposed by the ICO exceeded £900,000. It is anticipated that Equifax will be required to pay a substantial sum to Mr Smeaton as a consequence of its breach and to put Smeaton back into the position he was in prior to the breach. So keep on top of your record keeping to avoid being hit by a sizeable compensation claim. ]]>{5BF855C1-2A04-45E8-9A5F-35581FC45D76}https://www.shoosmiths.co.uk/client-resources/legal-updates/cloud-computing-data-protection-issues-4314.aspxCloud computing: Data protection issues According to a recent article by Shoosmiths, the cloud software market generated $22 billion in revenue in 2011, and expects growth to $67.3 billion by 2016 Alongside the benefit of cloud computing, however, lies a lack of transparency for cloud customers, causing legitimate concerns about how they can comply with the Data Protection Act 1998 (DPA). Thrown into this mix, of course, is the latest attempt by the European Commission (EC) to protect privacy rights and provide a uniform approach to data protection with the General Data Protection Regulation. Although the EC is not looking to implement the Draft Regulation until 2014, the Information Commissioner's Office (ICO) has released Guidance on the use of cloud computing, in an attempt to address some of these concerns and hopefully shed light on the best approach for cloud customers to take. Data protection in the cloud In the world of cloud computing, the cloud provider will, in most cases, be the data processor, passively processing the data, for example, by storing it on its platform. Depending on the type of cloud used, the cloud provider's responsibilities could include providing infrastructure, physical security of the premises, operating system and network security. The cloud customer, on the other hand, will be the data controller, actively processing the data for its own business purposes. Depending on the service model used, its responsibilities could include controlling the virtual infrastructure and any application security. Although the parties both process data and hold certain obligations as a result, the ICO treats the cloud provider as an extension of the cloud customer, only having the responsibilities of both a data controller and a data processor if acting as a data controller 'in its own right'. Because the cloud customer determines the purpose and manner in which the data is processed, the onus is placed on the cloud customer to ensure that the cloud provider complies with the DPA. In the event of a breach by the cloud provider involving the cloud customer's personal data, all liability and enforcement action would be directed towards the cloud customer. What does this mean in practice? It was recently reported by Europa that 80% of cloud customers achieve an IT costs saving of at least 10-20%, and of these, 20% reporting savings of 30% or more. Despite this economic benefit, however, failure to comply with the DPA could see a penalty engulfing some or all of this benefit. Penalties for breach of the DPA are seeing fines reaching up to £325,000 making headlines that 'name and shame' the cloud customer. On top of this, the cloud customer could risk their client relationship and overall reputation as a result of the breach. It will be of no further comfort to cloud customers that the Draft Regulation proposes that the current maximum fine of £500,000 be replaced by 2% of the organisation's global annual turnover. Best approach to take Although there is no 'one size fits all' approach to data protection compliance, the ICO highlighted the following in its Guidance: Assess the cloud computing service The cloud customer should strategically review the type of cloud computing offered (e.g. private, community, public or a hybrid cloud) and the service model required (e.g. Infrastructure as a Service, Platform as a Service or Software as a Service). The ICO emphasises that it is the cloud customer's choice as to the type of cloud computing it uses and therefore its responsibility to choose that which will allow it to comply with the DPA. Review the personal data Different types of personal data will require different measures to be put in place to protect it as the level of protection required will depend on the volume and nature of the personal data and the likely damage that would arise in the event of a breach. Carefully select and categorise the type of data being processed, including any metadata that is collected as a result. If the data is sensitive then the cloud customer should require the information to be encrypted. Alternatively, consider removing sensitive personal data (or indeed all personal data if possible) from the data being transferred. If all personal data can be made anonymous or removed prior to transfer into the cloud, that is even better. Understand the proposed service model How will the personal data be processed by the cloud provider? What are the risks and how can they be mitigated? This is especially important to consider when the cloud customer is dealing with cloud providers who are based or who store data outside of the European Economic Area, as in those circumstances steps must be taken to ensure that 'adequate protection' is in place to protect it. Ultimately, it is up to the cloud customer to conduct a privacy impact assessment and to form a view on the adequacy of protection afforded to data held in the cloud. Select the appropriate cloud provider The cloud customer should ensure that the cloud provider has sufficient physical, technical and organisational security in place. Appropriate contractual assurances to this effect should be obtained but comprehensive due diligence and continuous monitoring is also essential if the cloud customer is to make an informed decision on whether or not the model is compliant with the DPA. Obtain informed consent Whether it is a new or an established client, the cloud customer will require consent from its client to process the personal data for the specified purpose. In order to ensure that the consent obtained is 'fully informed', certain information will have to be communicated to them. In particular, the client should be informed as to how their personal data will be protected, where it will be stored and who it will be disclosed to. Clients should also be provided with clear instructions as to how to opt out of the process. The Draft Regulations also propose a right to be forgotten, which will need to be considered. Contract Having a contract in place in place with the cloud provider is essential. It should cover issues such as confidentiality, access control, transfer, deletion, recovery, training and audit requirements as well as security and restrictions in terms of the purposes in which and manner in which the cloud provider can process the personal data. In practice, it is best to avoid non-negotiable terms and conditions, as they might hinder the cloud customer's ability to comply with the DPA. If necessary, consider using a different provider. Monitor and review As mentioned above, the responsibility for ensuring that the personal data is processed in accordance with the DPA, and liability under the DPA remains with the data controller. Cloud customers should therefore continually monitor the cloud provider's activities in order to ensure that it is complying with its obligations under contract. Reviewing the process and assessing the provisions of the contract will help bring to light necessary areas of improvement in the cloud computing service. If nothing else, this Guidance has highlighted the fact that liability under the DPA at all times remains with the cloud customer as data controller in respect of the personal data it transfers to the cloud. It also highlights what is expected from cloud customers in terms of enforcing and monitoring the compliance against the cloud provider. What is clear, however, is that with the growing popularity of cloud computing and the savings it offers coupled with the significant changes that will be introduced by the Draft Regulation, we will no doubt see a noticeable increase in the administrative burden that this arrangement presents - for both data controller and data processor. Sources Shoosmiths' article: Cloud Computing: Supply Chain Issues Shoosmiths' article: Data protection: Changes on the horizon Fri, 30 Nov 2012 00:00:00 Z<![CDATA[Nicky Jenkins ]]><![CDATA[ According to a recent article by Shoosmiths, the cloud software market generated $22 billion in revenue in 2011, and expects growth to $67.3 billion by 2016 Alongside the benefit of cloud computing, however, lies a lack of transparency for cloud customers, causing legitimate concerns about how they can comply with the Data Protection Act 1998 (DPA). Thrown into this mix, of course, is the latest attempt by the European Commission (EC) to protect privacy rights and provide a uniform approach to data protection with the General Data Protection Regulation. Although the EC is not looking to implement the Draft Regulation until 2014, the Information Commissioner's Office (ICO) has released Guidance on the use of cloud computing, in an attempt to address some of these concerns and hopefully shed light on the best approach for cloud customers to take. Data protection in the cloud In the world of cloud computing, the cloud provider will, in most cases, be the data processor, passively processing the data, for example, by storing it on its platform. Depending on the type of cloud used, the cloud provider's responsibilities could include providing infrastructure, physical security of the premises, operating system and network security. The cloud customer, on the other hand, will be the data controller, actively processing the data for its own business purposes. Depending on the service model used, its responsibilities could include controlling the virtual infrastructure and any application security. Although the parties both process data and hold certain obligations as a result, the ICO treats the cloud provider as an extension of the cloud customer, only having the responsibilities of both a data controller and a data processor if acting as a data controller 'in its own right'. Because the cloud customer determines the purpose and manner in which the data is processed, the onus is placed on the cloud customer to ensure that the cloud provider complies with the DPA. In the event of a breach by the cloud provider involving the cloud customer's personal data, all liability and enforcement action would be directed towards the cloud customer. What does this mean in practice? It was recently reported by Europa that 80% of cloud customers achieve an IT costs saving of at least 10-20%, and of these, 20% reporting savings of 30% or more. Despite this economic benefit, however, failure to comply with the DPA could see a penalty engulfing some or all of this benefit. Penalties for breach of the DPA are seeing fines reaching up to £325,000 making headlines that 'name and shame' the cloud customer. On top of this, the cloud customer could risk their client relationship and overall reputation as a result of the breach. It will be of no further comfort to cloud customers that the Draft Regulation proposes that the current maximum fine of £500,000 be replaced by 2% of the organisation's global annual turnover. Best approach to take Although there is no 'one size fits all' approach to data protection compliance, the ICO highlighted the following in its Guidance: Assess the cloud computing service The cloud customer should strategically review the type of cloud computing offered (e.g. private, community, public or a hybrid cloud) and the service model required (e.g. Infrastructure as a Service, Platform as a Service or Software as a Service). The ICO emphasises that it is the cloud customer's choice as to the type of cloud computing it uses and therefore its responsibility to choose that which will allow it to comply with the DPA. Review the personal data Different types of personal data will require different measures to be put in place to protect it as the level of protection required will depend on the volume and nature of the personal data and the likely damage that would arise in the event of a breach. Carefully select and categorise the type of data being processed, including any metadata that is collected as a result. If the data is sensitive then the cloud customer should require the information to be encrypted. Alternatively, consider removing sensitive personal data (or indeed all personal data if possible) from the data being transferred. If all personal data can be made anonymous or removed prior to transfer into the cloud, that is even better. Understand the proposed service model How will the personal data be processed by the cloud provider? What are the risks and how can they be mitigated? This is especially important to consider when the cloud customer is dealing with cloud providers who are based or who store data outside of the European Economic Area, as in those circumstances steps must be taken to ensure that 'adequate protection' is in place to protect it. Ultimately, it is up to the cloud customer to conduct a privacy impact assessment and to form a view on the adequacy of protection afforded to data held in the cloud. Select the appropriate cloud provider The cloud customer should ensure that the cloud provider has sufficient physical, technical and organisational security in place. Appropriate contractual assurances to this effect should be obtained but comprehensive due diligence and continuous monitoring is also essential if the cloud customer is to make an informed decision on whether or not the model is compliant with the DPA. Obtain informed consent Whether it is a new or an established client, the cloud customer will require consent from its client to process the personal data for the specified purpose. In order to ensure that the consent obtained is 'fully informed', certain information will have to be communicated to them. In particular, the client should be informed as to how their personal data will be protected, where it will be stored and who it will be disclosed to. Clients should also be provided with clear instructions as to how to opt out of the process. The Draft Regulations also propose a right to be forgotten, which will need to be considered. Contract Having a contract in place in place with the cloud provider is essential. It should cover issues such as confidentiality, access control, transfer, deletion, recovery, training and audit requirements as well as security and restrictions in terms of the purposes in which and manner in which the cloud provider can process the personal data. In practice, it is best to avoid non-negotiable terms and conditions, as they might hinder the cloud customer's ability to comply with the DPA. If necessary, consider using a different provider. Monitor and review As mentioned above, the responsibility for ensuring that the personal data is processed in accordance with the DPA, and liability under the DPA remains with the data controller. Cloud customers should therefore continually monitor the cloud provider's activities in order to ensure that it is complying with its obligations under contract. Reviewing the process and assessing the provisions of the contract will help bring to light necessary areas of improvement in the cloud computing service. If nothing else, this Guidance has highlighted the fact that liability under the DPA at all times remains with the cloud customer as data controller in respect of the personal data it transfers to the cloud. It also highlights what is expected from cloud customers in terms of enforcing and monitoring the compliance against the cloud provider. What is clear, however, is that with the growing popularity of cloud computing and the savings it offers coupled with the significant changes that will be introduced by the Draft Regulation, we will no doubt see a noticeable increase in the administrative burden that this arrangement presents - for both data controller and data processor. Sources Shoosmiths' article: Cloud Computing: Supply Chain Issues Shoosmiths' article: Data protection: Changes on the horizon ]]>{E70D5BC0-2704-44FA-838E-D15CB46C1A0A}https://www.shoosmiths.co.uk/client-resources/legal-updates/failure-to-rectify-data-mix-up-leads-to-ico-fine-4259.aspxFailure to rectify data mix-up leads to ICO fine The Information Commissioners Office has fined an insurance company for mixing up two customers' accounts and failing to rectify the mistake The Information Commissioners Office (the "ICO") has recently issued a significant fine, not because an organisation has lost data, but because they muddled up account data. The ICO came down heavily on the insurance company Prudential after an error in identification led to the merging of two customers' accounts in March 2007. The fine of £50,000 (reduced by 20% to £40,000 if paid by the end of the month) issued at the end of October is believed to be the first to be imposed that does not relate significant data loss. What happened? Unhappily for Prudential, the two customers involved had the same first and surnames and the same data of birth and a significant amount of money, reported to be in the tens of thousands of pounds, intended for one of the customer's retirement fund was transferred to the wrong account. The mistake, which is alleged to have been initially caused by one of the customers' financial advisers, was not rectified by Prudential and the error continued for several years. Why was the fine so high? The severity of the fine was due to the significant sums involved, the failure by Prudential to investigate and rectify the error - despite being informed of the mistake several times including in writing by one of the customers; the error continued for a further six months. Stephen Eckersley (ICO Head of Enforcement) has said: "Organisations must make sure the information they hold on their customers' files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved." He also added: "We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people's records are accurate". A warning The fine demonstrates that the ICO is pursuing its focus on the priority sectors announced earlier this year which included credit and finance. Clearly this focus is not misplaced as approximately 15% of complaints to the ICO last year were due to concerns in the financial sector. However, this case should serve as a warning to all organisations dealing with personal data whether it relates to clients, employees or other individuals; the ICO is flexing its muscle and not only in respect of "lost" personal data. In light of the forthcoming reforms to data protection across the European Economic Area such enforcement action is only likely to increase; as such the time is now ripe for all organisations to review data protection compliance in respect of both customer and employee records, including policies and training. How can we help? Did you know that Shoosmiths has a dedicated data protection team, which can assist with all your data protection questions? To find out more see our website. Tue, 13 Nov 2012 00:00:00 Z<![CDATA[Stuart Lawrenson ]]><![CDATA[ The Information Commissioners Office has fined an insurance company for mixing up two customers' accounts and failing to rectify the mistake The Information Commissioners Office (the "ICO") has recently issued a significant fine, not because an organisation has lost data, but because they muddled up account data. The ICO came down heavily on the insurance company Prudential after an error in identification led to the merging of two customers' accounts in March 2007. The fine of £50,000 (reduced by 20% to £40,000 if paid by the end of the month) issued at the end of October is believed to be the first to be imposed that does not relate significant data loss. What happened? Unhappily for Prudential, the two customers involved had the same first and surnames and the same data of birth and a significant amount of money, reported to be in the tens of thousands of pounds, intended for one of the customer's retirement fund was transferred to the wrong account. The mistake, which is alleged to have been initially caused by one of the customers' financial advisers, was not rectified by Prudential and the error continued for several years. Why was the fine so high? The severity of the fine was due to the significant sums involved, the failure by Prudential to investigate and rectify the error - despite being informed of the mistake several times including in writing by one of the customers; the error continued for a further six months. Stephen Eckersley (ICO Head of Enforcement) has said: "Organisations must make sure the information they hold on their customers' files is accurate and kept up to date in order to comply with the Data Protection Act. In this case two customer files were consistently confused and the company failed to remedy the situation despite being alerted to the problem on more than one occasion before it was finally resolved." He also added: "We hope this penalty sends a message to all organisations, but particularly those in the financial sector, that adequate checks must be in place to ensure people's records are accurate". A warning The fine demonstrates that the ICO is pursuing its focus on the priority sectors announced earlier this year which included credit and finance. Clearly this focus is not misplaced as approximately 15% of complaints to the ICO last year were due to concerns in the financial sector. However, this case should serve as a warning to all organisations dealing with personal data whether it relates to clients, employees or other individuals; the ICO is flexing its muscle and not only in respect of "lost" personal data. In light of the forthcoming reforms to data protection across the European Economic Area such enforcement action is only likely to increase; as such the time is now ripe for all organisations to review data protection compliance in respect of both customer and employee records, including policies and training. How can we help? Did you know that Shoosmiths has a dedicated data protection team, which can assist with all your data protection questions? To find out more see our website. ]]>{4441EFFB-3530-45CF-B15C-81D88EE06F0F}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-protection-employers-can-be-liable-for-their-contractors-mistakes-4072.aspxData protection: employers can be liable for their contractors&#39; mistakes A recent fine imposed by the Information Commissioner on Scottish Borders Council demonstrates that employers can be liable for breach of data protection legislation by their contractors. All employers handling data about employees must comply with the Data Protection Act 1998 (the Act) and in particular, the eight data protection principles set out in that legislation. However, this obligation does not just apply directly to an employer but extends to all service providers who may be handling employees' personal data on behalf of that employer; for example, scanning and waste disposal companies. Employers are highly likely to handle employees' "sensitive personal data", as defined under the Act, in the running of their day-to-day business. Sensitive personal data includes health records and marital status so will be particularly relevant in the context of pension administration. Employers cannot abdicate their responsibilities and must be satisfied that their service providers are compliant with the requirements of the Act. This is borne out by a recent case in which the Scottish Borders Council was fined £250,000 by the Information Commissioner. In this case, 670 pension files were found by a member of the public in a supermarket recycling bin. The Council, in their capacity as employer and data controller, were held liable for the files being destroyed in a non-secure nature by their outsourced service provider who were responsible for scanning employee's pension files. The Council had made several errors under the Data Protection legislation: no agreement in writing with the outsourced service provider had not checked the arrangements for handling sensitive personal data in the pension files failed to ensure that the scanned pension files were disposed of securely. Comment When it comes to Data Protection, employers are liable to pay the price for the failings of their outsourced service providers. It is therefore essential employers have streamlined and compliant arrangements in place to try to avoid incurring substantial fines due to the short comings of their outsourced service providers. As a minimum there should be a written agreement between their data controller and their data processor, which should contain warranties regarding compliance with the data protection principles and an indemnity for any breach of the Act to encourage best practice. Fri, 05 Oct 2012 00:00:00 +0100<![CDATA[Stuart Lawrenson ]]><![CDATA[ A recent fine imposed by the Information Commissioner on Scottish Borders Council demonstrates that employers can be liable for breach of data protection legislation by their contractors. All employers handling data about employees must comply with the Data Protection Act 1998 (the Act) and in particular, the eight data protection principles set out in that legislation. However, this obligation does not just apply directly to an employer but extends to all service providers who may be handling employees' personal data on behalf of that employer; for example, scanning and waste disposal companies. Employers are highly likely to handle employees' "sensitive personal data", as defined under the Act, in the running of their day-to-day business. Sensitive personal data includes health records and marital status so will be particularly relevant in the context of pension administration. Employers cannot abdicate their responsibilities and must be satisfied that their service providers are compliant with the requirements of the Act. This is borne out by a recent case in which the Scottish Borders Council was fined £250,000 by the Information Commissioner. In this case, 670 pension files were found by a member of the public in a supermarket recycling bin. The Council, in their capacity as employer and data controller, were held liable for the files being destroyed in a non-secure nature by their outsourced service provider who were responsible for scanning employee's pension files. The Council had made several errors under the Data Protection legislation: no agreement in writing with the outsourced service provider had not checked the arrangements for handling sensitive personal data in the pension files failed to ensure that the scanned pension files were disposed of securely. Comment When it comes to Data Protection, employers are liable to pay the price for the failings of their outsourced service providers. It is therefore essential employers have streamlined and compliant arrangements in place to try to avoid incurring substantial fines due to the short comings of their outsourced service providers. As a minimum there should be a written agreement between their data controller and their data processor, which should contain warranties regarding compliance with the data protection principles and an indemnity for any breach of the Act to encourage best practice. ]]>{1CC8576E-3594-4CCB-A9A5-23D78EA869A8}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-protection-during-recruitment-top-10-tips-for-managers-3006.aspxData protection during recruitment: top 10 tips for managers Throughout the employment relationship employers process their employees' personal data. At every stage, employers' compliance with the Data Protection Act 1998 is critical, but all too easy to get wrong. Complying with the Data Protection Act ("DPA") is increasingly a concern for employers as failure to do so brings the prospect of negative publicity and ultimately, significant fines. In this article, we suggest 10 "Top Tips" for dealing with personal data during the recruitment process. Background Personal data is defined as information which relates to a living person where that person can be identified from the data either alone or in conjunction with other data held by the employer. So, in the context of recruitment, a completed application form is likely to constitute personal data. Some documents used during the recruitment process (e.g. medical questionnaires, interview notes) may also contain "sensitive personal data". This is information which relates, for example, to the person's race, religion, political views, health information etc. Such data, because of its nature, attracts a higher level of protection and must be handled with particular care. The DPA requires all types of personal data to be processed fairly and lawfully in accordance with the requirements of the legislation. Like employees, job applicants can make a "subject access request" under the DPA and are entitled to find out what personal data a prospective employer holds about them and to receive a copy. The prospective employer must also state the purposes for which the applicant's data is being processed and to whom the information may be disclosed. Top 10 Tips for recruitment With this in mind, how should employers process personal data received during the recruitment process to ensure that they are complying with the DPA? Explain in the job advertisement or application form how an applicant's personal data will be processed. Set out clearly if information such as CVs and application forms from unsuccessful applicants will be retained for future recruitment processes or shared within the wider group? Make sure applicants are given the opportunity to request that their details are removed altogether. Use appropriate security measures for online application forms / CVs submitted electronically so only those involved in the recruitment process and who need to see them can access them. Ensure any questions in application forms are relevant and tailored to the specific job. For example, only request information on criminal convictions where this is relevant and necessary for the role. Information collected should not be excessive. Do not request any sensitive personal data at the outset of the application process, unless this is used for the purpose of equal opportunities monitoring (see below). This information is not normally needed to reach a recruitment decision. If any sensitive personal data is requested keep this separate to any application form so that the interviewing manager does not have access to it. Where possible, anonymise any sensitive personal data gathered during the recruitment process, so that it ceases to fall under the definition of "personal data". Consider introducing equal opportunities monitoring for applicants. This is a requirement for public authorities, but may also be useful for private companies to demonstrate compliance with equality laws. Be aware that this information is likely to be sensitive personal data and so will require the applicant's consent to collect and use it (unless the information is anonymised). Make it clear that this information is not required for any ongoing employment relationship. Adopt a clear policy for retaining / disposing of unsuccessful or unsolicited applicants' CVs. If a letter of acknowledgment is sent to the applicant, let them know their application will be kept on file for a certain period of time and will not be disclosed to any third parties without their consent. Do not keep recruitment records for longer than 6 months after the recruitment exercise where possible. The statutory period during which an unsuccessful applicant may bring a discrimination claim arising from the recruitment process is 3 months but it is possible for this period to be extended by the tribunal in exceptional circumstances, hence the longer recommended retention period. In relation to successful applicants, do not retain information from their application form which has no bearing on the ongoing employment relationship. Delete any information about successful applicants' criminal convictions collected during the recruitment phase once this has been verified by the CRB. You only need to keep a record of whether a CRB check had a satisfactory or unsatisfactory result. Keep notes during the recruitment process (e.g. during interviews) but be aware that these notes may constitute personal data and would be disclosable to an applicant as part of a subject access request. Mon, 03 Sep 2012 00:00:00 +0100<![CDATA[Helen Burgess ]]><![CDATA[ Throughout the employment relationship employers process their employees' personal data. At every stage, employers' compliance with the Data Protection Act 1998 is critical, but all too easy to get wrong. Complying with the Data Protection Act ("DPA") is increasingly a concern for employers as failure to do so brings the prospect of negative publicity and ultimately, significant fines. In this article, we suggest 10 "Top Tips" for dealing with personal data during the recruitment process. Background Personal data is defined as information which relates to a living person where that person can be identified from the data either alone or in conjunction with other data held by the employer. So, in the context of recruitment, a completed application form is likely to constitute personal data. Some documents used during the recruitment process (e.g. medical questionnaires, interview notes) may also contain "sensitive personal data". This is information which relates, for example, to the person's race, religion, political views, health information etc. Such data, because of its nature, attracts a higher level of protection and must be handled with particular care. The DPA requires all types of personal data to be processed fairly and lawfully in accordance with the requirements of the legislation. Like employees, job applicants can make a "subject access request" under the DPA and are entitled to find out what personal data a prospective employer holds about them and to receive a copy. The prospective employer must also state the purposes for which the applicant's data is being processed and to whom the information may be disclosed. Top 10 Tips for recruitment With this in mind, how should employers process personal data received during the recruitment process to ensure that they are complying with the DPA? Explain in the job advertisement or application form how an applicant's personal data will be processed. Set out clearly if information such as CVs and application forms from unsuccessful applicants will be retained for future recruitment processes or shared within the wider group? Make sure applicants are given the opportunity to request that their details are removed altogether. Use appropriate security measures for online application forms / CVs submitted electronically so only those involved in the recruitment process and who need to see them can access them. Ensure any questions in application forms are relevant and tailored to the specific job. For example, only request information on criminal convictions where this is relevant and necessary for the role. Information collected should not be excessive. Do not request any sensitive personal data at the outset of the application process, unless this is used for the purpose of equal opportunities monitoring (see below). This information is not normally needed to reach a recruitment decision. If any sensitive personal data is requested keep this separate to any application form so that the interviewing manager does not have access to it. Where possible, anonymise any sensitive personal data gathered during the recruitment process, so that it ceases to fall under the definition of "personal data". Consider introducing equal opportunities monitoring for applicants. This is a requirement for public authorities, but may also be useful for private companies to demonstrate compliance with equality laws. Be aware that this information is likely to be sensitive personal data and so will require the applicant's consent to collect and use it (unless the information is anonymised). Make it clear that this information is not required for any ongoing employment relationship. Adopt a clear policy for retaining / disposing of unsuccessful or unsolicited applicants' CVs. If a letter of acknowledgment is sent to the applicant, let them know their application will be kept on file for a certain period of time and will not be disclosed to any third parties without their consent. Do not keep recruitment records for longer than 6 months after the recruitment exercise where possible. The statutory period during which an unsuccessful applicant may bring a discrimination claim arising from the recruitment process is 3 months but it is possible for this period to be extended by the tribunal in exceptional circumstances, hence the longer recommended retention period. In relation to successful applicants, do not retain information from their application form which has no bearing on the ongoing employment relationship. Delete any information about successful applicants' criminal convictions collected during the recruitment phase once this has been verified by the CRB. You only need to keep a record of whether a CRB check had a satisfactory or unsatisfactory result. Keep notes during the recruitment process (e.g. during interviews) but be aware that these notes may constitute personal data and would be disclosable to an applicant as part of a subject access request. ]]>{E94E5725-EC74-4F99-BDD9-8F20708AA290}https://www.shoosmiths.co.uk/client-resources/legal-updates/data-protection-is-organisation-committing-offence-2863.aspxData protection notification: Is your organisation committing a criminal offence? Some organisations may be falling foul of the Data Protection Act 1998 by failing to notify details of their personal data processing to the Information Commissioner's Office (ICO). Notification is a legal requirement for every organisation that processes personal information (unless they are exempt), and failure to comply with this obligation is a criminal offence. The register The (ICO) maintains a public register of organisations that process personal data, together with details about the types of personal information they process and the purposes for which they process it. The register and each organisation's individual notification are publicly available to view via the ICO website. What is notification? Notification requires organisations to provide certain minimum information to the ICO, including: name and address types of personal data processed purposes for which the data is processed confirmation about whether or not they transfer data outside the European Economic Area These details are then added to the register maintained by the ICO. Who must notify? Most organisations processing personal data are required to notify, but there are some limited exemptions. Where these apply, an organisation will not be required to notify. Such exemptions include some not-for-profit organisations and where an organisation processes data only for certain limited purposes such as staff administration. Even organisations that are exempt from the notification obligation are still required to ensure that their processing of personal data is conducted in accordance with the eight Data Protection Principles set out in the Data Protection Act 1998. Exempt organisations are free to notify voluntarily if they wish. The ICO has published guidance to help organisations decide if they are exempt. How to notify? Notification is a relatively simple process and can be completed online, by phone or by post to the ICO. Notification must be renewed on an annual basis and a fee is payable both on submission of the first notification and each year thereafter. The fee payable depends on an organisation's size and turnover. For an organisation with an annual turnover of £25.9m and 250 or more staff, the annual fee is £500. For smaller organisations it is £35. Keeping the register up-to-date Organisations are responsible for ensuring the content of their ICO notification is kept accurate and up-to-date. Any changes to the notification (for example if new types of information are being processed or data is being used for new purposes) must be notified in writing to the ICO (quoting the security number provided on the original letter confirming acceptance onto the register) as soon as possible and within 28 days of the change. Failure to keep a register entry up-to-date is a criminal offence. It is not possible to change the legal entity of a data controller, for example on a restructuring, and further notification must be made in such circumstances. Where can I get further information? The ICO's website has extensive guidance on notification. How can we help? For advice on whether your organisation is required to notify (or whether you are exempt), the content of your notification, or any other queries regarding the processing of personal data, please contact a member of our data protection team: aisling.duffy@shoosmiths.co.uk or louise.randall@shoosmiths.co.uk Mon, 20 Aug 2012 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ Some organisations may be falling foul of the Data Protection Act 1998 by failing to notify details of their personal data processing to the Information Commissioner's Office (ICO). Notification is a legal requirement for every organisation that processes personal information (unless they are exempt), and failure to comply with this obligation is a criminal offence. The register The (ICO) maintains a public register of organisations that process personal data, together with details about the types of personal information they process and the purposes for which they process it. The register and each organisation's individual notification are publicly available to view via the ICO website. What is notification? Notification requires organisations to provide certain minimum information to the ICO, including: name and address types of personal data processed purposes for which the data is processed confirmation about whether or not they transfer data outside the European Economic Area These details are then added to the register maintained by the ICO. Who must notify? Most organisations processing personal data are required to notify, but there are some limited exemptions. Where these apply, an organisation will not be required to notify. Such exemptions include some not-for-profit organisations and where an organisation processes data only for certain limited purposes such as staff administration. Even organisations that are exempt from the notification obligation are still required to ensure that their processing of personal data is conducted in accordance with the eight Data Protection Principles set out in the Data Protection Act 1998. Exempt organisations are free to notify voluntarily if they wish. The ICO has published guidance to help organisations decide if they are exempt. How to notify? Notification is a relatively simple process and can be completed online, by phone or by post to the ICO. Notification must be renewed on an annual basis and a fee is payable both on submission of the first notification and each year thereafter. The fee payable depends on an organisation's size and turnover. For an organisation with an annual turnover of £25.9m and 250 or more staff, the annual fee is £500. For smaller organisations it is £35. Keeping the register up-to-date Organisations are responsible for ensuring the content of their ICO notification is kept accurate and up-to-date. Any changes to the notification (for example if new types of information are being processed or data is being used for new purposes) must be notified in writing to the ICO (quoting the security number provided on the original letter confirming acceptance onto the register) as soon as possible and within 28 days of the change. Failure to keep a register entry up-to-date is a criminal offence. It is not possible to change the legal entity of a data controller, for example on a restructuring, and further notification must be made in such circumstances. Where can I get further information? The ICO's website has extensive guidance on notification. How can we help? For advice on whether your organisation is required to notify (or whether you are exempt), the content of your notification, or any other queries regarding the processing of personal data, please contact a member of our data protection team: aisling.duffy@shoosmiths.co.uk or louise.randall@shoosmiths.co.uk ]]>{8871D120-6C1D-4655-8178-2DD17BF43F55}https://www.shoosmiths.co.uk/client-resources/legal-updates/personal-data-breach-costs-nhs-trust-175000-pounds-2818.aspxPersonal data breach costs NHS Trust &#163;175,000 On 6 August 2012 Torbay Care Trust was fined &#163;175,000 by the Information Commissioner's Office (ICO), after personal and sensitive data about more than 1,000 employees was accidently published on its website. The personal information concerned the equality and diversity responses provided by 1,373 staff, and included the names, dates of birth and National Insurance numbers of individuals, plus details about their religion, 'disabled' status, ethnicity and sexual orientation. What made matters worse is that the blunder only came to the Trust's notice after 19 weeks, when it was reported by a member of the public. During that time, the Trust's website received 21,000 visitors, with approximately 300 visits made to the webpage featuring the spreadsheet containing the personal data. In this instance, the ICO said its investigation 'found that the Torbay Care Trust had no guidance for employees on what information shouldn't be published online and had inadequate checks in place to identify potential problems'. The ICO found that the incident amounted to a serious breach of Principle 7 of the Data Protection Act 1998, which requires organisations to put in place and maintain appropriate technical and security measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction or damage. In particular, it concluded that the Trust had failed to have effective policies and procedures in place to control the dissemination of personal data. The ICO also said the breach had the potential to expose individuals not only to substantial damage and distress, but also to the risk of financial loss and identify theft. Lessons learned As well as highlighting the need for organisations to have comprehensive and effective policies and procedures in place to control the use and processing of personal data, this case also demonstrates the need for companies to ensure their employees receive adequate training about the Act and its requirements. Training is a necessary element to raising awareness and reducing the risk of breaches like this taking place. Guidance and training should be given to all staff who access personal data, and compliance with the policies and procedures should be actively monitored and enforced. What can you do? For further information or assistance on data protection compliance, please contact: Aisling Duffy Associate 03700 865089 aisling.duffy@shoosmiths.co.uk Mon, 13 Aug 2012 00:00:00 +0100<![CDATA[Nicky Jenkins ]]><![CDATA[ On 6 August 2012 Torbay Care Trust was fined &#163;175,000 by the Information Commissioner's Office (ICO), after personal and sensitive data about more than 1,000 employees was accidently published on its website. The personal information concerned the equality and diversity responses provided by 1,373 staff, and included the names, dates of birth and National Insurance numbers of individuals, plus details about their religion, 'disabled' status, ethnicity and sexual orientation. What made matters worse is that the blunder only came to the Trust's notice after 19 weeks, when it was reported by a member of the public. During that time, the Trust's website received 21,000 visitors, with approximately 300 visits made to the webpage featuring the spreadsheet containing the personal data. In this instance, the ICO said its investigation 'found that the Torbay Care Trust had no guidance for employees on what information shouldn't be published online and had inadequate checks in place to identify potential problems'. The ICO found that the incident amounted to a serious breach of Principle 7 of the Data Protection Act 1998, which requires organisations to put in place and maintain appropriate technical and security measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction or damage. In particular, it concluded that the Trust had failed to have effective policies and procedures in place to control the dissemination of personal data. The ICO also said the breach had the potential to expose individuals not only to substantial damage and distress, but also to the risk of financial loss and identify theft. Lessons learned As well as highlighting the need for organisations to have comprehensive and effective policies and procedures in place to control the use and processing of personal data, this case also demonstrates the need for companies to ensure their employees receive adequate training about the Act and its requirements. Training is a necessary element to raising awareness and reducing the risk of breaches like this taking place. Guidance and training should be given to all staff who access personal data, and compliance with the policies and procedures should be actively monitored and enforced. What can you do? For further information or assistance on data protection compliance, please contact: Aisling Duffy Associate 03700 865089 aisling.duffy@shoosmiths.co.uk ]]>